Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 00:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe
-
Size
384KB
-
MD5
aeef248b5f6cf5fd157a54d23f706f5b
-
SHA1
bf7611b0f916e7487633b560032636a2c3fa5c14
-
SHA256
841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36
-
SHA512
6f346787cff35aaa203ed27c96c287af282825d5b3c1a76bac80cc408d8cfc3290b3e13ffd29f924651ea0c4a21c3f8629a3995eeae575044616491429d11237
-
SSDEEP
6144:PznC+Szzspui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGck7/DiuoH3ygNb/:Pz0kpV6yYPMLnfBJKFbhDwBpV6yYP0ri
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qljcoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fealin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmdnadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmfgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccbadp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnfpinmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmdnadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebjdgmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmeede32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkbfeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihnkel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe -
Executes dropped EXE 64 IoCs
pid Process 3764 Fpmggb32.exe 1840 Fggocmhf.exe 2732 Fdkpma32.exe 1304 Gigheh32.exe 1020 Gijekg32.exe 2060 Gaamlecg.exe 2764 Ggpbjkpl.exe 1680 Ginnfgop.exe 1740 Gddbcp32.exe 1300 Hkpheidp.exe 2120 Hajpbckl.exe 2916 Hkbdki32.exe 1644 Hhfedm32.exe 4576 Hkeaqi32.exe 4216 Hjjnae32.exe 2720 Hdpbon32.exe 768 Hnhghcki.exe 2656 Ihnkel32.exe 2292 Ijogmdqm.exe 2340 Ikndgg32.exe 4404 Iahlcaol.exe 1712 Iakiia32.exe 4148 Ikcmbfcj.exe 2588 Ibmeoq32.exe 2768 Iqbbpm32.exe 1008 Jdpkflfe.exe 1972 Jdbhkk32.exe 1100 Jdedak32.exe 2672 Jbiejoaj.exe 4788 Jjdjoane.exe 4544 Kghjhemo.exe 232 Kkfcndce.exe 4860 Kgmcce32.exe 2124 Knflpoqf.exe 540 Keqdmihc.exe 1692 Kkjlic32.exe 3140 Kniieo32.exe 1180 Kageaj32.exe 1060 Kgamnded.exe 736 Kjpijpdg.exe 3528 Lajagj32.exe 5076 Liqihglg.exe 2576 Lkofdbkj.exe 408 Lnnbqnjn.exe 816 Lgffic32.exe 1368 Ljdceo32.exe 716 Lghcocol.exe 3428 Ljgpkonp.exe 4896 Lbngllob.exe 4736 Lelchgne.exe 5048 Lgkpdcmi.exe 3348 Ljilqnlm.exe 2036 Lacdmh32.exe 4356 Lhmmjbkf.exe 4324 Llhikacp.exe 4612 Mngegmbc.exe 4192 Meamcg32.exe 2308 Mhoipb32.exe 4408 Mbenmk32.exe 3944 Mecjif32.exe 1044 Mhafeb32.exe 4680 Mnlnbl32.exe 228 Majjng32.exe 4872 Mhdckaeo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Gikdkj32.exe File created C:\Windows\SysWOW64\Akblfj32.exe Ahdpjn32.exe File opened for modification C:\Windows\SysWOW64\Pefhlaie.exe Pchlpfjb.exe File created C:\Windows\SysWOW64\Eofgpikj.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Innfnl32.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Lcjcnoej.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cklhcfle.exe File opened for modification C:\Windows\SysWOW64\Ipflihfq.exe Hildmn32.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Igdnabjh.exe File created C:\Windows\SysWOW64\Qcbhah32.dll Chqogq32.exe File created C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Amcehdod.exe File opened for modification C:\Windows\SysWOW64\Mepfiq32.exe Madjhb32.exe File created C:\Windows\SysWOW64\Hlmkgk32.dll Akqfkp32.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Ebdcld32.exe Eofgpikj.exe File opened for modification C:\Windows\SysWOW64\Mgeakekd.exe Mqkiok32.exe File created C:\Windows\SysWOW64\Kckefh32.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Ilccoh32.exe Ijegcm32.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dngjff32.exe File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe Baegibae.exe File created C:\Windows\SysWOW64\Oondnini.exe Niakfbpa.exe File opened for modification C:\Windows\SysWOW64\Hdjbiheb.exe Hlcjhkdp.exe File created C:\Windows\SysWOW64\Bcghka32.dll Fpjcgm32.exe File created C:\Windows\SysWOW64\Gfmojenc.exe Gdobnj32.exe File created C:\Windows\SysWOW64\Hhjamhbn.dll Dmennnni.exe File created C:\Windows\SysWOW64\Hhaljido.dll Jokkgl32.exe File created C:\Windows\SysWOW64\Gghocf32.dll Nkqkhk32.exe File opened for modification C:\Windows\SysWOW64\Bhldpj32.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Qoelkp32.exe Qkipkani.exe File created C:\Windows\SysWOW64\Ghkogl32.dll Mgbefe32.exe File opened for modification C:\Windows\SysWOW64\Opclldhj.exe Omdppiif.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Bpkdjofm.exe File opened for modification C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Nlcalieg.exe Nclikl32.exe File created C:\Windows\SysWOW64\Nlmdbh32.exe Ndflak32.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qeodhjmo.exe File opened for modification C:\Windows\SysWOW64\Baadiiif.exe Bochmn32.exe File created C:\Windows\SysWOW64\Glkmmefl.exe Gmimai32.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hmmfmhll.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Qfkqjmdg.exe File created C:\Windows\SysWOW64\Phbhcmjl.exe Piphgq32.exe File opened for modification C:\Windows\SysWOW64\Lgccinoe.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Apedgj32.dll Bfpdin32.exe File created C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Higjaoci.exe Hginecde.exe File opened for modification C:\Windows\SysWOW64\Iggjga32.exe Idhnkf32.exe File created C:\Windows\SysWOW64\Igigla32.exe Idkkpf32.exe File opened for modification C:\Windows\SysWOW64\Igigla32.exe Idkkpf32.exe File created C:\Windows\SysWOW64\Ceelqcdb.dll Kkfcndce.exe File created C:\Windows\SysWOW64\Cclnpmna.dll Kgmcce32.exe File opened for modification C:\Windows\SysWOW64\Gldglf32.exe Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Amlogfel.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Bdfpkm32.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Fechok32.dll Odalmibl.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cfpffeaj.exe File opened for modification C:\Windows\SysWOW64\Gfmojenc.exe Gdobnj32.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Chkobkod.exe File created C:\Windows\SysWOW64\Gaamlecg.exe Gijekg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 19240 19460 Process not Found 1108 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmkdcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbiejoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inlihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mecjif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebhglj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaaeham.dll" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnmaj32.dll" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecoi32.dll" Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccledea.dll" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhji32.dll" Fdccbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajaoo32.dll" Fpggamqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Fefedmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dikihe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkogiikb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmnmgnoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll" Jgeghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjmhg32.dll" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpkihi.dll" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmlokdl.dll" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciggeb32.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdpecjm.dll" Igbalblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmmfmhll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jofalmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll" Apodoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djhimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlmdbh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4432 wrote to memory of 3764 4432 841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe 82 PID 4432 wrote to memory of 3764 4432 841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe 82 PID 4432 wrote to memory of 3764 4432 841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe 82 PID 3764 wrote to memory of 1840 3764 Fpmggb32.exe 83 PID 3764 wrote to memory of 1840 3764 Fpmggb32.exe 83 PID 3764 wrote to memory of 1840 3764 Fpmggb32.exe 83 PID 1840 wrote to memory of 2732 1840 Fggocmhf.exe 84 PID 1840 wrote to memory of 2732 1840 Fggocmhf.exe 84 PID 1840 wrote to memory of 2732 1840 Fggocmhf.exe 84 PID 2732 wrote to memory of 1304 2732 Fdkpma32.exe 87 PID 2732 wrote to memory of 1304 2732 Fdkpma32.exe 87 PID 2732 wrote to memory of 1304 2732 Fdkpma32.exe 87 PID 1304 wrote to memory of 1020 1304 Gigheh32.exe 88 PID 1304 wrote to memory of 1020 1304 Gigheh32.exe 88 PID 1304 wrote to memory of 1020 1304 Gigheh32.exe 88 PID 1020 wrote to memory of 2060 1020 Gijekg32.exe 89 PID 1020 wrote to memory of 2060 1020 Gijekg32.exe 89 PID 1020 wrote to memory of 2060 1020 Gijekg32.exe 89 PID 2060 wrote to memory of 2764 2060 Gaamlecg.exe 90 PID 2060 wrote to memory of 2764 2060 Gaamlecg.exe 90 PID 2060 wrote to memory of 2764 2060 Gaamlecg.exe 90 PID 2764 wrote to memory of 1680 2764 Ggpbjkpl.exe 92 PID 2764 wrote to memory of 1680 2764 Ggpbjkpl.exe 92 PID 2764 wrote to memory of 1680 2764 Ggpbjkpl.exe 92 PID 1680 wrote to memory of 1740 1680 Ginnfgop.exe 93 PID 1680 wrote to memory of 1740 1680 Ginnfgop.exe 93 PID 1680 wrote to memory of 1740 1680 Ginnfgop.exe 93 PID 1740 wrote to memory of 1300 1740 Gddbcp32.exe 94 PID 1740 wrote to memory of 1300 1740 Gddbcp32.exe 94 PID 1740 wrote to memory of 1300 1740 Gddbcp32.exe 94 PID 1300 wrote to memory of 2120 1300 Hkpheidp.exe 95 PID 1300 wrote to memory of 2120 1300 Hkpheidp.exe 95 PID 1300 wrote to memory of 2120 1300 Hkpheidp.exe 95 PID 2120 wrote to memory of 2916 2120 Hajpbckl.exe 96 PID 2120 wrote to memory of 2916 2120 Hajpbckl.exe 96 PID 2120 wrote to memory of 2916 2120 Hajpbckl.exe 96 PID 2916 wrote to memory of 1644 2916 Hkbdki32.exe 97 PID 2916 wrote to memory of 1644 2916 Hkbdki32.exe 97 PID 2916 wrote to memory of 1644 2916 Hkbdki32.exe 97 PID 1644 wrote to memory of 4576 1644 Hhfedm32.exe 98 PID 1644 wrote to memory of 4576 1644 Hhfedm32.exe 98 PID 1644 wrote to memory of 4576 1644 Hhfedm32.exe 98 PID 4576 wrote to memory of 4216 4576 Hkeaqi32.exe 99 PID 4576 wrote to memory of 4216 4576 Hkeaqi32.exe 99 PID 4576 wrote to memory of 4216 4576 Hkeaqi32.exe 99 PID 4216 wrote to memory of 2720 4216 Hjjnae32.exe 100 PID 4216 wrote to memory of 2720 4216 Hjjnae32.exe 100 PID 4216 wrote to memory of 2720 4216 Hjjnae32.exe 100 PID 2720 wrote to memory of 768 2720 Hdpbon32.exe 101 PID 2720 wrote to memory of 768 2720 Hdpbon32.exe 101 PID 2720 wrote to memory of 768 2720 Hdpbon32.exe 101 PID 768 wrote to memory of 2656 768 Hnhghcki.exe 102 PID 768 wrote to memory of 2656 768 Hnhghcki.exe 102 PID 768 wrote to memory of 2656 768 Hnhghcki.exe 102 PID 2656 wrote to memory of 2292 2656 Ihnkel32.exe 103 PID 2656 wrote to memory of 2292 2656 Ihnkel32.exe 103 PID 2656 wrote to memory of 2292 2656 Ihnkel32.exe 103 PID 2292 wrote to memory of 2340 2292 Ijogmdqm.exe 104 PID 2292 wrote to memory of 2340 2292 Ijogmdqm.exe 104 PID 2292 wrote to memory of 2340 2292 Ijogmdqm.exe 104 PID 2340 wrote to memory of 4404 2340 Ikndgg32.exe 105 PID 2340 wrote to memory of 4404 2340 Ikndgg32.exe 105 PID 2340 wrote to memory of 4404 2340 Ikndgg32.exe 105 PID 4404 wrote to memory of 1712 4404 Iahlcaol.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe"C:\Users\Admin\AppData\Local\Temp\841d630c0d946c28535e91c6614a53278cb793ff6b7481f78e91694f37231c36.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe23⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe24⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe25⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe26⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe27⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe28⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe29⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe31⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe32⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe35⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe36⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe37⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe38⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe39⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe40⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe41⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe42⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe43⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe44⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe45⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe47⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe49⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe50⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe51⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe52⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe53⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe55⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe56⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe57⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe58⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe59⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe60⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe62⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe63⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe64⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe65⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe66⤵PID:4668
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe67⤵PID:2256
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe68⤵PID:1332
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe69⤵PID:2492
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe70⤵PID:3120
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe71⤵PID:1632
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe72⤵PID:1808
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe73⤵PID:4792
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe74⤵PID:2920
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe75⤵PID:1124
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe76⤵PID:4468
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe77⤵PID:4016
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe78⤵PID:1604
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe79⤵PID:4044
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe80⤵PID:4948
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe81⤵PID:3196
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe82⤵PID:1564
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe83⤵PID:4656
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe84⤵PID:4508
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe85⤵
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe86⤵PID:4084
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe87⤵
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe88⤵PID:4840
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe89⤵PID:4976
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe90⤵PID:5004
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe91⤵PID:3188
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe92⤵PID:3492
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe93⤵PID:4616
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe94⤵PID:1876
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe95⤵PID:4652
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe96⤵PID:3208
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe97⤵PID:3968
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe98⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe99⤵PID:5132
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe101⤵PID:5220
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe102⤵PID:5264
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe103⤵PID:5316
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe104⤵PID:5356
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe105⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe107⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe108⤵PID:5536
-
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe110⤵PID:5620
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe111⤵PID:5668
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe112⤵PID:5712
-
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe113⤵PID:5756
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe114⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe115⤵PID:5844
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe116⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe117⤵PID:5928
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe118⤵PID:5976
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe119⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe120⤵PID:6064
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-