Analysis
-
max time kernel
159s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
-
Size
312KB
-
MD5
170554d6b4bfa363a65ab745e86da295
-
SHA1
d396f3265712dca21bc0443e8beabd678d37b842
-
SHA256
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37
-
SHA512
b142bb79b44c23a83496a796334bf27b310ea815ff613c469bf6f4310250cca0360dc12ad7081f72322ecdbfef70baee2957d2f0eea35da895a5f9f7c4d45da4
-
SSDEEP
6144:0ZOPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSf:fuqFHRFbev
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpabho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoeok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aflpde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhemfbnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlpjikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgeipah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idieob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkkghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpceogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfbbhdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efafqolp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikfbkbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodijffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahihagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdkdpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcjgcni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omniiclb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefogo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaanif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofncde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmlhoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqkeoama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaflag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaobjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhlcnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjqjqao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkbgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnllqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqapmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpdhfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgpfgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmfolcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dacmjpgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdjnha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjqkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppphkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnohgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhenpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnccmnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeifpkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqmoac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemephgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkpokhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjkkghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdiahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadlmanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbghkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekckpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efamkepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibape32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgekock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmhjged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkklkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmknf32.exe -
Executes dropped EXE 64 IoCs
pid Process 436 Iamoon32.exe 788 Mkadam32.exe 3016 Mfgiof32.exe 2496 Nilkkq32.exe 3536 Nfchjddj.exe 4252 Nnnmogae.exe 2168 Pbjbfclk.exe 4544 Amgekh32.exe 4176 Bgfpdmho.exe 3248 Dcdpakii.exe 1088 Emfgpo32.exe 3428 Fgqehgco.exe 4396 Fcnlng32.exe 4048 Gagebknp.exe 880 Ghcjedcj.exe 4852 Hanlcjgh.exe 2416 Ihagfb32.exe 3548 Iffcgoka.exe 868 Iodaikfl.exe 1304 Jhmfba32.exe 4336 Kobnji32.exe 3100 Khkbcopl.exe 2460 Knldfe32.exe 2940 Kgeiokao.exe 4564 Lonnfg32.exe 4600 Lqbgcp32.exe 4376 Lglopjkg.exe 5016 Lqdcio32.exe 4932 Lkjhfh32.exe 4068 Mkangg32.exe 1396 Mhenpk32.exe 116 Mndcnafd.exe 1140 Mglhgg32.exe 4624 Ndbefkjk.exe 4140 Nkagndmc.exe 5080 Oeqagi32.exe 2528 Opfedb32.exe 4640 Oagbljcp.exe 3768 Ogajid32.exe 1836 Pgdgodhj.exe 3920 Pbiklmhp.exe 1912 Piepnfnj.exe 500 Ppphkq32.exe 684 Pelacg32.exe 2556 Pngbam32.exe 1568 Peajngoi.exe 3220 Qajhigcj.exe 3348 Ahdpea32.exe 2972 Aaanif32.exe 1456 Apdkmn32.exe 1668 Bafgdfim.exe 4556 Bppjhl32.exe 3784 Coegih32.exe 700 Clldhljp.exe 5136 Ccfmef32.exe 5176 Dlgddkpc.exe 5224 Dadlmanj.exe 5264 Eokjke32.exe 5304 Ehcndkaa.exe 5344 Ebnocpfp.exe 5384 Ehhgpj32.exe 5424 Eoapldei.exe 5464 Ejgdim32.exe 5504 Ecphbckp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nngoddkg.exe Nlhbja32.exe File opened for modification C:\Windows\SysWOW64\Hgfaij32.exe Hibape32.exe File opened for modification C:\Windows\SysWOW64\Dadlmanj.exe Dlgddkpc.exe File created C:\Windows\SysWOW64\Qgalelin.exe Qnihlf32.exe File created C:\Windows\SysWOW64\Fckacknf.exe Fhemfbnq.exe File created C:\Windows\SysWOW64\Jidkek32.exe Jianpl32.exe File created C:\Windows\SysWOW64\Kncfkjpc.dll Mlciobhj.exe File created C:\Windows\SysWOW64\Gmganc32.dll Fppjpmim.exe File created C:\Windows\SysWOW64\Offnae32.exe Oceepj32.exe File created C:\Windows\SysWOW64\Pfblcm32.dll Ohqpcdek.exe File opened for modification C:\Windows\SysWOW64\Aaanif32.exe Ahdpea32.exe File created C:\Windows\SysWOW64\Ehlakjig.exe Ecphbckp.exe File created C:\Windows\SysWOW64\Ofpfmaai.dll Lqikfi32.exe File created C:\Windows\SysWOW64\Fammoofd.dll Dddlfa32.exe File created C:\Windows\SysWOW64\Mdckpqod.exe Mebkbi32.exe File created C:\Windows\SysWOW64\Cfldob32.exe Cbnkhcha.exe File created C:\Windows\SysWOW64\Blicnooe.dll Mgfqgkib.exe File opened for modification C:\Windows\SysWOW64\Hpabho32.exe Higjkehf.exe File created C:\Windows\SysWOW64\Lenpnjke.dll Jgpmffeh.exe File opened for modification C:\Windows\SysWOW64\Mjjkkghp.exe Mcpcnm32.exe File created C:\Windows\SysWOW64\Lnjmgl32.dll Khabdk32.exe File opened for modification C:\Windows\SysWOW64\Acbmcima.exe Amhdfo32.exe File opened for modification C:\Windows\SysWOW64\Gagebknp.exe Fcnlng32.exe File opened for modification C:\Windows\SysWOW64\Lkjhfh32.exe Lqdcio32.exe File opened for modification C:\Windows\SysWOW64\Aecika32.exe Acbmcima.exe File opened for modification C:\Windows\SysWOW64\Fppjpmim.exe Fejebdig.exe File opened for modification C:\Windows\SysWOW64\Lgdinmod.exe Llmhkd32.exe File opened for modification C:\Windows\SysWOW64\Occgkngd.exe Ohncnegn.exe File created C:\Windows\SysWOW64\Ohqpcdek.exe Occgkngd.exe File opened for modification C:\Windows\SysWOW64\Pgpmdh32.exe Omjhgoco.exe File opened for modification C:\Windows\SysWOW64\Ggpbcaei.exe Gngnjk32.exe File created C:\Windows\SysWOW64\Lfeaegdi.exe Klifhpjk.exe File opened for modification C:\Windows\SysWOW64\Phaabm32.exe Pknqhh32.exe File opened for modification C:\Windows\SysWOW64\Qkgcog32.exe Qdmkbmnl.exe File opened for modification C:\Windows\SysWOW64\Bfebjd32.exe Bpkjnjqc.exe File created C:\Windows\SysWOW64\Cmmghl32.exe Cefogo32.exe File created C:\Windows\SysWOW64\Ekngqqol.exe Deanhj32.exe File created C:\Windows\SysWOW64\Nbckflji.dll Omjhgoco.exe File created C:\Windows\SysWOW64\Jnpjegpk.exe Jhfbim32.exe File created C:\Windows\SysWOW64\Kgcqil32.dll Hbegakcb.exe File created C:\Windows\SysWOW64\Geelllgg.dll Aplahpdo.exe File created C:\Windows\SysWOW64\Bkgeiojp.dll Maefnk32.exe File created C:\Windows\SysWOW64\Gmjlmo32.exe Gcagdj32.exe File opened for modification C:\Windows\SysWOW64\Dldlbgbb.exe Dpmknf32.exe File created C:\Windows\SysWOW64\Lbaipffa.dll Ohncnegn.exe File created C:\Windows\SysWOW64\Ihagfb32.exe Hanlcjgh.exe File created C:\Windows\SysWOW64\Kpihpm32.dll Ppphkq32.exe File created C:\Windows\SysWOW64\Cgklggic.exe Cancoqkl.exe File opened for modification C:\Windows\SysWOW64\Mcoeiqil.exe Mekdplkb.exe File opened for modification C:\Windows\SysWOW64\Ganppk32.exe Gkdhcqcj.exe File created C:\Windows\SysWOW64\Mjdkeaij.exe Mckbhg32.exe File created C:\Windows\SysWOW64\Hbakiina.exe Henjoe32.exe File created C:\Windows\SysWOW64\Bpkllo32.exe Biadoeib.exe File created C:\Windows\SysWOW64\Papgndfl.dll Kdfjej32.exe File created C:\Windows\SysWOW64\Ddbppa32.exe Cgnogmkl.exe File created C:\Windows\SysWOW64\Jonfci32.dll Iacbbh32.exe File created C:\Windows\SysWOW64\Klceeejl.exe Kpldpddh.exe File created C:\Windows\SysWOW64\Cnbcoe32.dll Kgacaopj.exe File created C:\Windows\SysWOW64\Elhdhn32.dll Bpqjcp32.exe File created C:\Windows\SysWOW64\Ebdiqcom.dll Pkfbpoog.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Qajhigcj.exe File opened for modification C:\Windows\SysWOW64\Kijcanhl.exe Kbpkdd32.exe File opened for modification C:\Windows\SysWOW64\Chblebll.exe Bhpopb32.exe File created C:\Windows\SysWOW64\Amckkpij.exe Abngngjd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpeibdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliidmmf.dll" Lboeknkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdcbokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgekock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpiffmb.dll" Hgapfpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddolpkhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphikllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfinh32.dll" Kiejfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjafha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccodp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghcjedcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flgaodbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akamab32.dll" Nilkkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpceogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbcipdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncofjaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpngogl.dll" Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqnckpj.dll" Kpldpddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmfolcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgdaegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elenahhh.dll" Emfgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdckpqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhmbqlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmomga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmagenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqbln32.dll" Bdjjnoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbindfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhemfbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaeedej.dll" Ofncde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmchfocl.dll" Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbnjl32.dll" Mbbloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbbloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfekaajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjbbqj.dll" Qgalelin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibffbnjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efafqolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimonh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmapcqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnifbmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afekjp32.dll" Kgenlldo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenfff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgjbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkgcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjoeoedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlelpgj.dll" Amdddkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmclli.dll" Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnphid32.dll" Nnmdfknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklcmpbo.dll" Dffmogji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqhknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgi32.dll" Abmbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgelq32.dll" Cbnkhcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgckl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdpea32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 436 1636 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 103 PID 1636 wrote to memory of 436 1636 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 103 PID 1636 wrote to memory of 436 1636 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 103 PID 436 wrote to memory of 788 436 Iamoon32.exe 104 PID 436 wrote to memory of 788 436 Iamoon32.exe 104 PID 436 wrote to memory of 788 436 Iamoon32.exe 104 PID 788 wrote to memory of 3016 788 Mkadam32.exe 105 PID 788 wrote to memory of 3016 788 Mkadam32.exe 105 PID 788 wrote to memory of 3016 788 Mkadam32.exe 105 PID 3016 wrote to memory of 2496 3016 Mfgiof32.exe 106 PID 3016 wrote to memory of 2496 3016 Mfgiof32.exe 106 PID 3016 wrote to memory of 2496 3016 Mfgiof32.exe 106 PID 2496 wrote to memory of 3536 2496 Nilkkq32.exe 107 PID 2496 wrote to memory of 3536 2496 Nilkkq32.exe 107 PID 2496 wrote to memory of 3536 2496 Nilkkq32.exe 107 PID 3536 wrote to memory of 4252 3536 Nfchjddj.exe 108 PID 3536 wrote to memory of 4252 3536 Nfchjddj.exe 108 PID 3536 wrote to memory of 4252 3536 Nfchjddj.exe 108 PID 4252 wrote to memory of 2168 4252 Nnnmogae.exe 109 PID 4252 wrote to memory of 2168 4252 Nnnmogae.exe 109 PID 4252 wrote to memory of 2168 4252 Nnnmogae.exe 109 PID 2168 wrote to memory of 4544 2168 Pbjbfclk.exe 110 PID 2168 wrote to memory of 4544 2168 Pbjbfclk.exe 110 PID 2168 wrote to memory of 4544 2168 Pbjbfclk.exe 110 PID 4544 wrote to memory of 4176 4544 Amgekh32.exe 111 PID 4544 wrote to memory of 4176 4544 Amgekh32.exe 111 PID 4544 wrote to memory of 4176 4544 Amgekh32.exe 111 PID 4176 wrote to memory of 3248 4176 Bgfpdmho.exe 112 PID 4176 wrote to memory of 3248 4176 Bgfpdmho.exe 112 PID 4176 wrote to memory of 3248 4176 Bgfpdmho.exe 112 PID 3248 wrote to memory of 1088 3248 Dcdpakii.exe 113 PID 3248 wrote to memory of 1088 3248 Dcdpakii.exe 113 PID 3248 wrote to memory of 1088 3248 Dcdpakii.exe 113 PID 1088 wrote to memory of 3428 1088 Emfgpo32.exe 114 PID 1088 wrote to memory of 3428 1088 Emfgpo32.exe 114 PID 1088 wrote to memory of 3428 1088 Emfgpo32.exe 114 PID 3428 wrote to memory of 4396 3428 Fgqehgco.exe 115 PID 3428 wrote to memory of 4396 3428 Fgqehgco.exe 115 PID 3428 wrote to memory of 4396 3428 Fgqehgco.exe 115 PID 4396 wrote to memory of 4048 4396 Fcnlng32.exe 116 PID 4396 wrote to memory of 4048 4396 Fcnlng32.exe 116 PID 4396 wrote to memory of 4048 4396 Fcnlng32.exe 116 PID 4048 wrote to memory of 880 4048 Gagebknp.exe 117 PID 4048 wrote to memory of 880 4048 Gagebknp.exe 117 PID 4048 wrote to memory of 880 4048 Gagebknp.exe 117 PID 880 wrote to memory of 4852 880 Ghcjedcj.exe 118 PID 880 wrote to memory of 4852 880 Ghcjedcj.exe 118 PID 880 wrote to memory of 4852 880 Ghcjedcj.exe 118 PID 4852 wrote to memory of 2416 4852 Hanlcjgh.exe 119 PID 4852 wrote to memory of 2416 4852 Hanlcjgh.exe 119 PID 4852 wrote to memory of 2416 4852 Hanlcjgh.exe 119 PID 2416 wrote to memory of 3548 2416 Ihagfb32.exe 120 PID 2416 wrote to memory of 3548 2416 Ihagfb32.exe 120 PID 2416 wrote to memory of 3548 2416 Ihagfb32.exe 120 PID 3548 wrote to memory of 868 3548 Iffcgoka.exe 121 PID 3548 wrote to memory of 868 3548 Iffcgoka.exe 121 PID 3548 wrote to memory of 868 3548 Iffcgoka.exe 121 PID 868 wrote to memory of 1304 868 Iodaikfl.exe 122 PID 868 wrote to memory of 1304 868 Iodaikfl.exe 122 PID 868 wrote to memory of 1304 868 Iodaikfl.exe 122 PID 1304 wrote to memory of 4336 1304 Jhmfba32.exe 123 PID 1304 wrote to memory of 4336 1304 Jhmfba32.exe 123 PID 1304 wrote to memory of 4336 1304 Jhmfba32.exe 123 PID 4336 wrote to memory of 3100 4336 Kobnji32.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe"C:\Users\Admin\AppData\Local\Temp\61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Nilkkq32.exeC:\Windows\system32\Nilkkq32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Nfchjddj.exeC:\Windows\system32\Nfchjddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Nnnmogae.exeC:\Windows\system32\Nnnmogae.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Amgekh32.exeC:\Windows\system32\Amgekh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Gagebknp.exeC:\Windows\system32\Gagebknp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ihagfb32.exeC:\Windows\system32\Ihagfb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Iodaikfl.exeC:\Windows\system32\Iodaikfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Jhmfba32.exeC:\Windows\system32\Jhmfba32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe23⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Knldfe32.exeC:\Windows\system32\Knldfe32.exe24⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe25⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe26⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe27⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe28⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Lqdcio32.exeC:\Windows\system32\Lqdcio32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Mkangg32.exeC:\Windows\system32\Mkangg32.exe31⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Mhenpk32.exeC:\Windows\system32\Mhenpk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe33⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Mglhgg32.exeC:\Windows\system32\Mglhgg32.exe34⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ndbefkjk.exeC:\Windows\system32\Ndbefkjk.exe35⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Nkagndmc.exeC:\Windows\system32\Nkagndmc.exe36⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Oeqagi32.exeC:\Windows\system32\Oeqagi32.exe37⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Oagbljcp.exeC:\Windows\system32\Oagbljcp.exe39⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Pgdgodhj.exeC:\Windows\system32\Pgdgodhj.exe41⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Pbiklmhp.exeC:\Windows\system32\Pbiklmhp.exe42⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe43⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ppphkq32.exeC:\Windows\system32\Ppphkq32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:500 -
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe45⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe46⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Peajngoi.exeC:\Windows\system32\Peajngoi.exe47⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Aaanif32.exeC:\Windows\system32\Aaanif32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Apdkmn32.exeC:\Windows\system32\Apdkmn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe52⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Bppjhl32.exeC:\Windows\system32\Bppjhl32.exe53⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe54⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Clldhljp.exeC:\Windows\system32\Clldhljp.exe55⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe56⤵
- Executes dropped EXE
PID:5136 -
C:\Windows\SysWOW64\Dlgddkpc.exeC:\Windows\system32\Dlgddkpc.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Dadlmanj.exeC:\Windows\system32\Dadlmanj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5224 -
C:\Windows\SysWOW64\Eokjke32.exeC:\Windows\system32\Eokjke32.exe59⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\SysWOW64\Ehcndkaa.exeC:\Windows\system32\Ehcndkaa.exe60⤵
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Ebnocpfp.exeC:\Windows\system32\Ebnocpfp.exe61⤵
- Executes dropped EXE
PID:5344 -
C:\Windows\SysWOW64\Ehhgpj32.exeC:\Windows\system32\Ehhgpj32.exe62⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Eoapldei.exeC:\Windows\system32\Eoapldei.exe63⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Ejgdim32.exeC:\Windows\system32\Ejgdim32.exe64⤵
- Executes dropped EXE
PID:5464 -
C:\Windows\SysWOW64\Ecphbckp.exeC:\Windows\system32\Ecphbckp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Ehlakjig.exeC:\Windows\system32\Ehlakjig.exe66⤵PID:5544
-
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe67⤵PID:5584
-
C:\Windows\SysWOW64\Fjlmdmqj.exeC:\Windows\system32\Fjlmdmqj.exe68⤵PID:5624
-
C:\Windows\SysWOW64\Fjccel32.exeC:\Windows\system32\Fjccel32.exe69⤵PID:5664
-
C:\Windows\SysWOW64\Fjepkk32.exeC:\Windows\system32\Fjepkk32.exe70⤵PID:5716
-
C:\Windows\SysWOW64\Gmfilfep.exeC:\Windows\system32\Gmfilfep.exe71⤵PID:5756
-
C:\Windows\SysWOW64\Gcpaiq32.exeC:\Windows\system32\Gcpaiq32.exe72⤵PID:5796
-
C:\Windows\SysWOW64\Gmkbgf32.exeC:\Windows\system32\Gmkbgf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Gcdkdpih.exeC:\Windows\system32\Gcdkdpih.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Gjocaj32.exeC:\Windows\system32\Gjocaj32.exe75⤵PID:5916
-
C:\Windows\SysWOW64\Gqhknd32.exeC:\Windows\system32\Gqhknd32.exe76⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Hclaeocp.exeC:\Windows\system32\Hclaeocp.exe77⤵PID:6004
-
C:\Windows\SysWOW64\Hadkib32.exeC:\Windows\system32\Hadkib32.exe78⤵PID:6044
-
C:\Windows\SysWOW64\Hbegakcb.exeC:\Windows\system32\Hbegakcb.exe79⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Ibojgikg.exeC:\Windows\system32\Ibojgikg.exe80⤵PID:6128
-
C:\Windows\SysWOW64\Iiibdc32.exeC:\Windows\system32\Iiibdc32.exe81⤵PID:4952
-
C:\Windows\SysWOW64\Ipckqnja.exeC:\Windows\system32\Ipckqnja.exe82⤵PID:5208
-
C:\Windows\SysWOW64\Ifmcmg32.exeC:\Windows\system32\Ifmcmg32.exe83⤵PID:5292
-
C:\Windows\SysWOW64\Jmgkja32.exeC:\Windows\system32\Jmgkja32.exe84⤵PID:5280
-
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe85⤵PID:5448
-
C:\Windows\SysWOW64\Jpgdlm32.exeC:\Windows\system32\Jpgdlm32.exe86⤵PID:5524
-
C:\Windows\SysWOW64\Jfalhgni.exeC:\Windows\system32\Jfalhgni.exe87⤵PID:5564
-
C:\Windows\SysWOW64\Jmkdeaee.exeC:\Windows\system32\Jmkdeaee.exe88⤵PID:780
-
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Jjoeoedo.exeC:\Windows\system32\Jjoeoedo.exe90⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Jaimko32.exeC:\Windows\system32\Jaimko32.exe91⤵PID:5856
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe92⤵PID:3328
-
C:\Windows\SysWOW64\Kipalpoj.exeC:\Windows\system32\Kipalpoj.exe93⤵PID:5900
-
C:\Windows\SysWOW64\Lnccmnak.exeC:\Windows\system32\Lnccmnak.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe95⤵PID:6104
-
C:\Windows\SysWOW64\Mkkmaalo.exeC:\Windows\system32\Mkkmaalo.exe96⤵PID:3916
-
C:\Windows\SysWOW64\Maefnk32.exeC:\Windows\system32\Maefnk32.exe97⤵
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Mcgbfcij.exeC:\Windows\system32\Mcgbfcij.exe98⤵PID:5408
-
C:\Windows\SysWOW64\Mcklac32.exeC:\Windows\system32\Mcklac32.exe99⤵PID:3024
-
C:\Windows\SysWOW64\Mnapnl32.exeC:\Windows\system32\Mnapnl32.exe100⤵PID:644
-
C:\Windows\SysWOW64\Pgjfdm32.exeC:\Windows\system32\Pgjfdm32.exe101⤵PID:5692
-
C:\Windows\SysWOW64\Pengna32.exeC:\Windows\system32\Pengna32.exe102⤵PID:5828
-
C:\Windows\SysWOW64\Pjkofh32.exeC:\Windows\system32\Pjkofh32.exe103⤵PID:5908
-
C:\Windows\SysWOW64\Qepccqlm.exeC:\Windows\system32\Qepccqlm.exe104⤵PID:2236
-
C:\Windows\SysWOW64\Qnihlf32.exeC:\Windows\system32\Qnihlf32.exe105⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Qgalelin.exeC:\Windows\system32\Qgalelin.exe106⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Abfqbdhd.exeC:\Windows\system32\Abfqbdhd.exe107⤵PID:5336
-
C:\Windows\SysWOW64\Achmjmnb.exeC:\Windows\system32\Achmjmnb.exe108⤵PID:5592
-
C:\Windows\SysWOW64\Anmagenh.exeC:\Windows\system32\Anmagenh.exe109⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Acjjpllp.exeC:\Windows\system32\Acjjpllp.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Aanjiqki.exeC:\Windows\system32\Aanjiqki.exe111⤵PID:5952
-
C:\Windows\SysWOW64\Ajfobfaj.exeC:\Windows\system32\Ajfobfaj.exe112⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Bopgdcnc.exeC:\Windows\system32\Bopgdcnc.exe113⤵PID:5580
-
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe114⤵PID:6080
-
C:\Windows\SysWOW64\Cdfbbhdp.exeC:\Windows\system32\Cdfbbhdp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Cbgbpp32.exeC:\Windows\system32\Cbgbpp32.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Dhdkig32.exeC:\Windows\system32\Dhdkig32.exe117⤵PID:5620
-
C:\Windows\SysWOW64\Donceaac.exeC:\Windows\system32\Donceaac.exe118⤵PID:6052
-
C:\Windows\SysWOW64\Ddklnh32.exeC:\Windows\system32\Ddklnh32.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe120⤵PID:2484
-
C:\Windows\SysWOW64\Dejhgkgm.exeC:\Windows\system32\Dejhgkgm.exe121⤵PID:3652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-