Analysis
-
max time kernel
93s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 20:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe
-
Size
89KB
-
MD5
90319fb3c94243c0b657f5c0bb62b012
-
SHA1
45b690a012122c319ed46d5b16844cf67ced8bfb
-
SHA256
3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274
-
SHA512
c208a0f56d070c03a0777ae9f49d865564c7c9b9bbf20d8f2a7dd0c9da97b834da59bcebd18639a653ab0c15cd0fe76016ec9e13abadaab9b906eabee9effd1e
-
SSDEEP
1536:KAyoHZxI9pty62mmCWA6ms8iHvYuW53n11111111111111111111111111111113:PyGZxMptyxmmDA6b9AuW53nze5r4MKym
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpeaoih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opcqnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigdfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dclkee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkleeplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcelpggq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgajfeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgohklm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlihle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaflgago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klfjijgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooejohhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njbgmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaohcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eojiqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpheidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noehba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdgafjpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciafbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmipdk32.exe -
Executes dropped EXE 64 IoCs
pid Process 4124 Famjkl32.exe 1584 Fehfljca.exe 656 Gekcaj32.exe 3144 Gkglja32.exe 4576 Ghklce32.exe 1960 Gadqlkep.exe 4740 Gkleeplq.exe 544 Ghpendjj.exe 1056 Gnmnfkia.exe 2928 Ghbbcd32.exe 1620 Goljqnpd.exe 3656 Hoogfnnb.exe 2168 Hhgloc32.exe 3632 Hfningai.exe 3856 Hgabkoee.exe 3848 Ikokan32.exe 1412 Igfkfo32.exe 3636 Ioopml32.exe 3932 Iigdfa32.exe 3196 Ibpiogmp.exe 1696 Ienekbld.exe 1972 Jnifigpa.exe 4736 Jkmgblok.exe 5036 Jgdhgmep.exe 2036 Jicdap32.exe 5112 Jfgdkd32.exe 3600 Jieagojp.exe 4604 Kppici32.exe 2356 Klfjijgq.exe 740 Kijjbofj.exe 2764 Kimghn32.exe 1612 Kbekqdjh.exe 4984 Khbdikip.exe 3808 Kfcdfbqo.exe 744 Kiaqcnpb.exe 4424 Lnnikdnj.exe 1276 Llbidimc.exe 3024 Lnqeqd32.exe 4876 Lhijijbg.exe 3040 Lihfcm32.exe 2952 Llgcph32.exe 4800 Leoghn32.exe 1192 Lfodbqfa.exe 3620 Mpghkf32.exe 1328 Miomdk32.exe 2848 Mfcmmp32.exe 4192 Mlpeff32.exe 1012 Moobbb32.exe 844 Midfokpm.exe 1904 Mfhfhong.exe 4752 Mifcejnj.exe 2820 Nlglfe32.exe 4508 Noehba32.exe 3500 Nhnlkfpp.exe 760 Nlihle32.exe 4188 Nbcqiope.exe 1616 Niniei32.exe 2224 Nlleaeff.exe 3648 Ngaionfl.exe 3524 Nlnbgddc.exe 5028 Nomncpcg.exe 4796 Ngdfdmdi.exe 3584 Nheble32.exe 4256 Nplkmckj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pocehodm.dll Ghbbcd32.exe File created C:\Windows\SysWOW64\Ffchaq32.dll Anaomkdb.exe File created C:\Windows\SysWOW64\Ieccbbkn.exe Iojkeh32.exe File opened for modification C:\Windows\SysWOW64\Gpaqbbld.exe Gigheh32.exe File created C:\Windows\SysWOW64\Cmjemflb.exe Cjliajmo.exe File created C:\Windows\SysWOW64\Nmhijd32.exe Ncpeaoih.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Adfnofpd.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Joahqn32.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Ieojgc32.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Aopmfk32.exe Ahfdjanb.exe File created C:\Windows\SysWOW64\Llelopkl.dll Fkkeclfh.exe File created C:\Windows\SysWOW64\Bmofagfp.exe Bfendmoc.exe File created C:\Windows\SysWOW64\Ccgjopal.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Diccgfpd.exe Dfefkkqp.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Oaqbkn32.exe File created C:\Windows\SysWOW64\Aaeidf32.dll Lhnhajba.exe File created C:\Windows\SysWOW64\Phcebinc.dll Hgabkoee.exe File opened for modification C:\Windows\SysWOW64\Lihfcm32.exe Lhijijbg.exe File opened for modification C:\Windows\SysWOW64\Acpbbi32.exe Aqaffn32.exe File created C:\Windows\SysWOW64\Fkkeclfh.exe Fhmigagd.exe File opened for modification C:\Windows\SysWOW64\Ihbdplfi.exe Iahlcaol.exe File created C:\Windows\SysWOW64\Ejflhm32.exe Epagkd32.exe File created C:\Windows\SysWOW64\Flngfn32.exe Fjmkoeqi.exe File opened for modification C:\Windows\SysWOW64\Lqpamb32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File created C:\Windows\SysWOW64\Ennioe32.dll Hlegnjbm.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Dihnap32.dll Ngdfdmdi.exe File created C:\Windows\SysWOW64\Idfjphid.dll Fpodlbng.exe File created C:\Windows\SysWOW64\Bchace32.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Eclmamod.exe File created C:\Windows\SysWOW64\Fdqfll32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Gbfldf32.exe Glldgljg.exe File opened for modification C:\Windows\SysWOW64\Mokmdh32.exe Mjodla32.exe File created C:\Windows\SysWOW64\Fmbgla32.dll Amjbbfgo.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Injcmc32.exe File created C:\Windows\SysWOW64\Phdpmbnc.dll Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Lcnmin32.exe Lqpamb32.exe File created C:\Windows\SysWOW64\Doogdl32.dll Nelfeo32.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Lflbkcll.exe File created C:\Windows\SysWOW64\Npldbgic.dll Mcbpjg32.exe File created C:\Windows\SysWOW64\Innfnl32.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Mlgjal32.dll Bnkbcj32.exe File created C:\Windows\SysWOW64\Lflbkcll.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Ojhpimhp.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Pplhhm32.exe File opened for modification C:\Windows\SysWOW64\Kfcdfbqo.exe Khbdikip.exe File created C:\Windows\SysWOW64\Akcipcnd.dll Moobbb32.exe File opened for modification C:\Windows\SysWOW64\Elgaeolp.exe Ejfeng32.exe File created C:\Windows\SysWOW64\Jljbeali.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Pqbala32.exe Ojhiogdd.exe File created C:\Windows\SysWOW64\Jfgdkd32.exe Jicdap32.exe File created C:\Windows\SysWOW64\Kpdahg32.dll Hkbdki32.exe File created C:\Windows\SysWOW64\Ffkcnbje.dll Jgenbfoa.exe File opened for modification C:\Windows\SysWOW64\Eppqqn32.exe Eifhdd32.exe File created C:\Windows\SysWOW64\Ngjkfd32.exe Nqpcjj32.exe File created C:\Windows\SysWOW64\Pmmnjnld.dll Najmjokc.exe File created C:\Windows\SysWOW64\Aimkjp32.exe Afnnnd32.exe File created C:\Windows\SysWOW64\Djmibn32.exe Dhomfc32.exe File opened for modification C:\Windows\SysWOW64\Ggkiol32.exe Gpaqbbld.exe File created C:\Windows\SysWOW64\Hhiajmod.exe Hncmmd32.exe File created C:\Windows\SysWOW64\Aedkdf32.dll Kjffdalb.exe File opened for modification C:\Windows\SysWOW64\Plndcl32.exe Pahpfc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7104 7132 WerFault.exe 1060 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfbnkdn.dll" Acilajpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdkfq32.dll" Epcdqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll" Iondqhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Bcghch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll" Blielbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhmabfb.dll" Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll" Hlambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkeldnpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihdldn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll" Gdlfhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcelpggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjodami.dll" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lclpdncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbkpm32.dll" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncliqp32.dll" Ebjcajjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbndlfi.dll" Cmcolgbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll" Heegad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcconde.dll" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmihij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efdjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kninjc32.dll" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkcnbje.dll" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefplh32.dll" Lnqeqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjffdalb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnnikdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bheplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll" Chnlgjlb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4124 2332 3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe 82 PID 2332 wrote to memory of 4124 2332 3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe 82 PID 2332 wrote to memory of 4124 2332 3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe 82 PID 4124 wrote to memory of 1584 4124 Famjkl32.exe 83 PID 4124 wrote to memory of 1584 4124 Famjkl32.exe 83 PID 4124 wrote to memory of 1584 4124 Famjkl32.exe 83 PID 1584 wrote to memory of 656 1584 Fehfljca.exe 85 PID 1584 wrote to memory of 656 1584 Fehfljca.exe 85 PID 1584 wrote to memory of 656 1584 Fehfljca.exe 85 PID 656 wrote to memory of 3144 656 Gekcaj32.exe 86 PID 656 wrote to memory of 3144 656 Gekcaj32.exe 86 PID 656 wrote to memory of 3144 656 Gekcaj32.exe 86 PID 3144 wrote to memory of 4576 3144 Gkglja32.exe 88 PID 3144 wrote to memory of 4576 3144 Gkglja32.exe 88 PID 3144 wrote to memory of 4576 3144 Gkglja32.exe 88 PID 4576 wrote to memory of 1960 4576 Ghklce32.exe 89 PID 4576 wrote to memory of 1960 4576 Ghklce32.exe 89 PID 4576 wrote to memory of 1960 4576 Ghklce32.exe 89 PID 1960 wrote to memory of 4740 1960 Gadqlkep.exe 90 PID 1960 wrote to memory of 4740 1960 Gadqlkep.exe 90 PID 1960 wrote to memory of 4740 1960 Gadqlkep.exe 90 PID 4740 wrote to memory of 544 4740 Gkleeplq.exe 91 PID 4740 wrote to memory of 544 4740 Gkleeplq.exe 91 PID 4740 wrote to memory of 544 4740 Gkleeplq.exe 91 PID 544 wrote to memory of 1056 544 Ghpendjj.exe 92 PID 544 wrote to memory of 1056 544 Ghpendjj.exe 92 PID 544 wrote to memory of 1056 544 Ghpendjj.exe 92 PID 1056 wrote to memory of 2928 1056 Gnmnfkia.exe 93 PID 1056 wrote to memory of 2928 1056 Gnmnfkia.exe 93 PID 1056 wrote to memory of 2928 1056 Gnmnfkia.exe 93 PID 2928 wrote to memory of 1620 2928 Ghbbcd32.exe 94 PID 2928 wrote to memory of 1620 2928 Ghbbcd32.exe 94 PID 2928 wrote to memory of 1620 2928 Ghbbcd32.exe 94 PID 1620 wrote to memory of 3656 1620 Goljqnpd.exe 95 PID 1620 wrote to memory of 3656 1620 Goljqnpd.exe 95 PID 1620 wrote to memory of 3656 1620 Goljqnpd.exe 95 PID 3656 wrote to memory of 2168 3656 Hoogfnnb.exe 96 PID 3656 wrote to memory of 2168 3656 Hoogfnnb.exe 96 PID 3656 wrote to memory of 2168 3656 Hoogfnnb.exe 96 PID 2168 wrote to memory of 3632 2168 Hhgloc32.exe 97 PID 2168 wrote to memory of 3632 2168 Hhgloc32.exe 97 PID 2168 wrote to memory of 3632 2168 Hhgloc32.exe 97 PID 3632 wrote to memory of 3856 3632 Hfningai.exe 98 PID 3632 wrote to memory of 3856 3632 Hfningai.exe 98 PID 3632 wrote to memory of 3856 3632 Hfningai.exe 98 PID 3856 wrote to memory of 3848 3856 Hgabkoee.exe 99 PID 3856 wrote to memory of 3848 3856 Hgabkoee.exe 99 PID 3856 wrote to memory of 3848 3856 Hgabkoee.exe 99 PID 3848 wrote to memory of 1412 3848 Ikokan32.exe 100 PID 3848 wrote to memory of 1412 3848 Ikokan32.exe 100 PID 3848 wrote to memory of 1412 3848 Ikokan32.exe 100 PID 1412 wrote to memory of 3636 1412 Igfkfo32.exe 101 PID 1412 wrote to memory of 3636 1412 Igfkfo32.exe 101 PID 1412 wrote to memory of 3636 1412 Igfkfo32.exe 101 PID 3636 wrote to memory of 3932 3636 Ioopml32.exe 102 PID 3636 wrote to memory of 3932 3636 Ioopml32.exe 102 PID 3636 wrote to memory of 3932 3636 Ioopml32.exe 102 PID 3932 wrote to memory of 3196 3932 Iigdfa32.exe 103 PID 3932 wrote to memory of 3196 3932 Iigdfa32.exe 103 PID 3932 wrote to memory of 3196 3932 Iigdfa32.exe 103 PID 3196 wrote to memory of 1696 3196 Ibpiogmp.exe 104 PID 3196 wrote to memory of 1696 3196 Ibpiogmp.exe 104 PID 3196 wrote to memory of 1696 3196 Ibpiogmp.exe 104 PID 1696 wrote to memory of 1972 1696 Ienekbld.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe"C:\Users\Admin\AppData\Local\Temp\3410cf3d578b2687a8cacac5e26627eb090c02b04ca281b9a48e557d77993274.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe23⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe24⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe25⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe27⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe28⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe29⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe31⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe32⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe35⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe36⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe38⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe41⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe42⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe43⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe44⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe45⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe46⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe47⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe48⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe50⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe51⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe52⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe55⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe57⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe59⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe60⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe61⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe62⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe64⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe65⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe66⤵PID:4120
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe67⤵PID:4848
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe68⤵
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe69⤵PID:4772
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe70⤵PID:4500
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4776 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe72⤵PID:2312
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe73⤵PID:4040
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3096 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe75⤵
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe76⤵PID:5084
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe77⤵PID:1332
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe78⤵PID:3340
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe79⤵PID:5024
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe80⤵PID:4200
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe81⤵PID:1804
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe82⤵PID:2900
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe83⤵PID:5088
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe84⤵PID:4388
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe85⤵PID:1980
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe86⤵PID:3316
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe87⤵PID:2708
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe88⤵
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe89⤵PID:3968
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe90⤵PID:4016
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe91⤵PID:2116
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe92⤵PID:4888
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe93⤵PID:3088
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe94⤵PID:3800
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe95⤵PID:916
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe96⤵PID:4968
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe97⤵PID:4068
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe98⤵PID:4780
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe99⤵PID:3640
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe100⤵PID:3448
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe101⤵PID:4992
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe102⤵PID:3348
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe103⤵PID:3836
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe104⤵PID:220
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe105⤵PID:2024
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe106⤵
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe107⤵
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe108⤵PID:612
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe109⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe110⤵PID:4884
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:324 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe112⤵PID:4600
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe113⤵PID:5132
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe114⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe115⤵PID:5224
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe116⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe117⤵PID:5316
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe118⤵PID:5360
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe119⤵PID:5408
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe120⤵PID:5440
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe121⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-