Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 19:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
610eb02ce15093910e335dcdfca31c51.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
610eb02ce15093910e335dcdfca31c51.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
610eb02ce15093910e335dcdfca31c51.exe
-
Size
226KB
-
MD5
610eb02ce15093910e335dcdfca31c51
-
SHA1
fc120515cd944030745f87a0e92add1a40560493
-
SHA256
944a812ce970619a60f8050a8894ae70f117edc520ec804801a896a11d8db96c
-
SHA512
7cac4fcd14c4e39ff8f0f81548be16678a125fa4ed470dc290fe706f4dcaa45d1f95848906ea5c69a6e2dda4e8fdf5e8d4aaeac51a1ec9c00f044b6e8aa1f743
-
SSDEEP
6144:HBI0/eIdMTB5zKXfxqySSKpRmSKeTk7eT5ABrnL8MdYg:HBI0/HQ7G5IKrEAlnLAg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghohdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cchikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emihbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qppaclio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeolckne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnhdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pijiif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgind32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhphqoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppphkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nombnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoqegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmhpfmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moalil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbnopkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpjoloh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflhcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbalhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbljoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpioin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnfgmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnalem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqffdejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nakhaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfhqkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbofdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmapag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammgifpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdbhifj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbaiip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejiqom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnpphljo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlljnf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3968 Jioaqfcc.exe 696 Jianff32.exe 2556 Jcgbco32.exe 2916 Jeklag32.exe 3864 Kboljk32.exe 4588 Kemhff32.exe 3712 Kbaipkbi.exe 4788 Kdqejn32.exe 1696 Kedoge32.exe 2904 Kdeoemeg.exe 2236 Kmncnb32.exe 1724 Lffhfh32.exe 2832 Lpnlpnih.exe 4968 Lekehdgp.exe 1044 Lpqiemge.exe 768 Lfkaag32.exe 2164 Lgmngglp.exe 396 Lpebpm32.exe 4660 Lebkhc32.exe 5016 Mdckfk32.exe 3904 Mpjlklok.exe 4996 Mmnldp32.exe 4268 Mmpijp32.exe 2612 Mlefklpj.exe 4248 Mgkjhe32.exe 1608 Nepgjaeg.exe 1772 Nljofl32.exe 3196 Cmiflbel.exe 4800 Cnicfe32.exe 3280 Cnkplejl.exe 4536 Cffdpghg.exe 5000 Dmefhako.exe 1468 Daconoae.exe 2684 Ddakjkqi.exe 3608 Daekdooc.exe 3008 Dknpmdfc.exe 5024 Edfdej32.exe 4124 Emoinpcd.exe 4492 Eggmge32.exe 2680 Edknqiho.exe 4320 Egijmegb.exe 1864 Emcbio32.exe 1868 Ehiffh32.exe 3688 Eobocb32.exe 4832 Edpgli32.exe 1164 Eoekia32.exe 1552 Fnjhjn32.exe 1068 Fddqghpd.exe 2848 Fnmepn32.exe 4072 Fhbimf32.exe 8 Folaiqng.exe 1224 Fdijbg32.exe 1520 Fnaokmco.exe 4428 Ploknb32.exe 1404 Pgdokkfg.exe 1760 Pjbkgfej.exe 3256 Ppmcdq32.exe 3724 Pckppl32.exe 2864 Pfillg32.exe 4084 Pcmlfl32.exe 2404 Pjgebf32.exe 2672 Ppamophb.exe 3572 Pcpikkge.exe 4060 Afelhf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ehlpjikd.exe Dpehikja.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Jlolpq32.exe File opened for modification C:\Windows\SysWOW64\Mohbjkgp.exe Mhnjna32.exe File opened for modification C:\Windows\SysWOW64\Bqbohocd.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Gonilenb.exe Gdheol32.exe File opened for modification C:\Windows\SysWOW64\Ohjlqklp.exe Oiglen32.exe File created C:\Windows\SysWOW64\Abkkbp32.dll Dplebmbl.exe File created C:\Windows\SysWOW64\Knalji32.exe Kclgmq32.exe File opened for modification C:\Windows\SysWOW64\Lhnhajba.exe Kadpdp32.exe File opened for modification C:\Windows\SysWOW64\Mapppn32.exe Loacdc32.exe File created C:\Windows\SysWOW64\Dicbfhni.exe Deejpjgc.exe File opened for modification C:\Windows\SysWOW64\Kdeoemeg.exe Kedoge32.exe File created C:\Windows\SysWOW64\Kkpbin32.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Ejioqkck.dll Hbiapb32.exe File created C:\Windows\SysWOW64\Omdaai32.dll Cipppc32.exe File created C:\Windows\SysWOW64\Qqcjnell.exe Qqamieno.exe File created C:\Windows\SysWOW64\Lajlbmed.dll Kcpahpmd.exe File created C:\Windows\SysWOW64\Bhpopokm.dll Dhclmp32.exe File created C:\Windows\SysWOW64\Gkaclqkk.exe Gokbgpeg.exe File opened for modification C:\Windows\SysWOW64\Mfbaalbi.exe Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Jhmhpfmi.exe Jeolckne.exe File created C:\Windows\SysWOW64\Bahdje32.exe Bpggbm32.exe File opened for modification C:\Windows\SysWOW64\Ibhdgjap.exe Iafgob32.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Aobilkcl.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Jlmmnd32.dll Llcghg32.exe File created C:\Windows\SysWOW64\Cmpjoloh.exe Cgfbbb32.exe File created C:\Windows\SysWOW64\Fncbmpcd.dll Gahcgg32.exe File created C:\Windows\SysWOW64\Aihfjd32.exe Appaangd.exe File created C:\Windows\SysWOW64\Bjjjhifm.exe Bgknlmgi.exe File created C:\Windows\SysWOW64\Ehhgpj32.exe Efikco32.exe File created C:\Windows\SysWOW64\Lhnelc32.dll Cifmjd32.exe File created C:\Windows\SysWOW64\Kioghlbd.dll Qfkqjmdg.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Jeapcq32.exe File opened for modification C:\Windows\SysWOW64\Bboffejp.exe Banjnm32.exe File created C:\Windows\SysWOW64\Gdnjfojj.exe Gbpnjdkg.exe File created C:\Windows\SysWOW64\Gkqhpmkg.exe Glngep32.exe File created C:\Windows\SysWOW64\Alnakngf.dll Okcccdkp.exe File created C:\Windows\SysWOW64\Jlobem32.dll Bajqda32.exe File opened for modification C:\Windows\SysWOW64\Ppdbgncl.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Nfoceoni.dll Nhbciqln.exe File opened for modification C:\Windows\SysWOW64\Ifjfhh32.exe Iannpa32.exe File created C:\Windows\SysWOW64\Ekooihip.dll Kclgmq32.exe File opened for modification C:\Windows\SysWOW64\Acfoep32.exe Ammgifpn.exe File opened for modification C:\Windows\SysWOW64\Jifecp32.exe Joqafgni.exe File opened for modification C:\Windows\SysWOW64\Gngckfdj.exe Glhgojef.exe File opened for modification C:\Windows\SysWOW64\Khnfce32.exe Kadnfkji.exe File created C:\Windows\SysWOW64\Jgiiclkl.exe Jdkmgali.exe File created C:\Windows\SysWOW64\Fbofckhp.dll Mdnlkl32.exe File created C:\Windows\SysWOW64\Caioglje.dll Oendaipn.exe File created C:\Windows\SysWOW64\Bfolacnc.exe Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Agcdnjcl.exe Abflfc32.exe File created C:\Windows\SysWOW64\Khnfce32.exe Kadnfkji.exe File created C:\Windows\SysWOW64\Icelfhmg.dll Jgiiclkl.exe File created C:\Windows\SysWOW64\Anplji32.dll Daiegp32.exe File created C:\Windows\SysWOW64\Mlefklpj.exe Mmpijp32.exe File created C:\Windows\SysWOW64\Ejdonq32.exe Dicbfhni.exe File created C:\Windows\SysWOW64\Gdnmaeek.dll Bfedhihl.exe File created C:\Windows\SysWOW64\Mhoahh32.exe Mfpell32.exe File opened for modification C:\Windows\SysWOW64\Femigg32.exe Faamghko.exe File opened for modification C:\Windows\SysWOW64\Fnjhjn32.exe Eoekia32.exe File created C:\Windows\SysWOW64\Bkjcmgbp.dll Eoekia32.exe File opened for modification C:\Windows\SysWOW64\Kqphfe32.exe Knalji32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqkijnkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oelhljaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofienka.dll" Jmgkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgigan32.dll" Ppopcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndeoqhk.dll" Edcqojqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Pmhbqbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjkfjhn.dll" Pneelmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmedcqge.dll" Ajcdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfnoiid.dll" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll" Koljgppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll" Kdqejn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Nodiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll" Bagmdllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidiae32.dll" Agiamhdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chlomnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll" Mkgmoncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onccdj32.dll" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abcgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqhknd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahonbhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeapcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hicpgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkgdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkpigmd.dll" Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncbmpcd.dll" Gahcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnnokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocligb32.dll" Aonhblad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbabnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjpgbba.dll" Bgknlmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgdeic.dll" Ecphbckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihkpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Helkdnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjnik32.dll" Kkqepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpggbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgico32.dll" Keoeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjehflie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll" Nkapelka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll" Nmfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll" Ncmaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biadoeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gihgfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iineacpp.dll" Qiocde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkdkddn.dll" Doageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbegakcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3960 wrote to memory of 3968 3960 610eb02ce15093910e335dcdfca31c51.exe 85 PID 3960 wrote to memory of 3968 3960 610eb02ce15093910e335dcdfca31c51.exe 85 PID 3960 wrote to memory of 3968 3960 610eb02ce15093910e335dcdfca31c51.exe 85 PID 3968 wrote to memory of 696 3968 Jioaqfcc.exe 86 PID 3968 wrote to memory of 696 3968 Jioaqfcc.exe 86 PID 3968 wrote to memory of 696 3968 Jioaqfcc.exe 86 PID 696 wrote to memory of 2556 696 Jianff32.exe 87 PID 696 wrote to memory of 2556 696 Jianff32.exe 87 PID 696 wrote to memory of 2556 696 Jianff32.exe 87 PID 2556 wrote to memory of 2916 2556 Jcgbco32.exe 88 PID 2556 wrote to memory of 2916 2556 Jcgbco32.exe 88 PID 2556 wrote to memory of 2916 2556 Jcgbco32.exe 88 PID 2916 wrote to memory of 3864 2916 Jeklag32.exe 89 PID 2916 wrote to memory of 3864 2916 Jeklag32.exe 89 PID 2916 wrote to memory of 3864 2916 Jeklag32.exe 89 PID 3864 wrote to memory of 4588 3864 Kboljk32.exe 91 PID 3864 wrote to memory of 4588 3864 Kboljk32.exe 91 PID 3864 wrote to memory of 4588 3864 Kboljk32.exe 91 PID 4588 wrote to memory of 3712 4588 Kemhff32.exe 92 PID 4588 wrote to memory of 3712 4588 Kemhff32.exe 92 PID 4588 wrote to memory of 3712 4588 Kemhff32.exe 92 PID 3712 wrote to memory of 4788 3712 Kbaipkbi.exe 93 PID 3712 wrote to memory of 4788 3712 Kbaipkbi.exe 93 PID 3712 wrote to memory of 4788 3712 Kbaipkbi.exe 93 PID 4788 wrote to memory of 1696 4788 Kdqejn32.exe 94 PID 4788 wrote to memory of 1696 4788 Kdqejn32.exe 94 PID 4788 wrote to memory of 1696 4788 Kdqejn32.exe 94 PID 1696 wrote to memory of 2904 1696 Kedoge32.exe 95 PID 1696 wrote to memory of 2904 1696 Kedoge32.exe 95 PID 1696 wrote to memory of 2904 1696 Kedoge32.exe 95 PID 2904 wrote to memory of 2236 2904 Kdeoemeg.exe 97 PID 2904 wrote to memory of 2236 2904 Kdeoemeg.exe 97 PID 2904 wrote to memory of 2236 2904 Kdeoemeg.exe 97 PID 2236 wrote to memory of 1724 2236 Kmncnb32.exe 98 PID 2236 wrote to memory of 1724 2236 Kmncnb32.exe 98 PID 2236 wrote to memory of 1724 2236 Kmncnb32.exe 98 PID 1724 wrote to memory of 2832 1724 Lffhfh32.exe 99 PID 1724 wrote to memory of 2832 1724 Lffhfh32.exe 99 PID 1724 wrote to memory of 2832 1724 Lffhfh32.exe 99 PID 2832 wrote to memory of 4968 2832 Lpnlpnih.exe 100 PID 2832 wrote to memory of 4968 2832 Lpnlpnih.exe 100 PID 2832 wrote to memory of 4968 2832 Lpnlpnih.exe 100 PID 4968 wrote to memory of 1044 4968 Lekehdgp.exe 101 PID 4968 wrote to memory of 1044 4968 Lekehdgp.exe 101 PID 4968 wrote to memory of 1044 4968 Lekehdgp.exe 101 PID 1044 wrote to memory of 768 1044 Lpqiemge.exe 102 PID 1044 wrote to memory of 768 1044 Lpqiemge.exe 102 PID 1044 wrote to memory of 768 1044 Lpqiemge.exe 102 PID 768 wrote to memory of 2164 768 Lfkaag32.exe 103 PID 768 wrote to memory of 2164 768 Lfkaag32.exe 103 PID 768 wrote to memory of 2164 768 Lfkaag32.exe 103 PID 2164 wrote to memory of 396 2164 Lgmngglp.exe 104 PID 2164 wrote to memory of 396 2164 Lgmngglp.exe 104 PID 2164 wrote to memory of 396 2164 Lgmngglp.exe 104 PID 396 wrote to memory of 4660 396 Lpebpm32.exe 105 PID 396 wrote to memory of 4660 396 Lpebpm32.exe 105 PID 396 wrote to memory of 4660 396 Lpebpm32.exe 105 PID 4660 wrote to memory of 5016 4660 Lebkhc32.exe 106 PID 4660 wrote to memory of 5016 4660 Lebkhc32.exe 106 PID 4660 wrote to memory of 5016 4660 Lebkhc32.exe 106 PID 5016 wrote to memory of 3904 5016 Mdckfk32.exe 107 PID 5016 wrote to memory of 3904 5016 Mdckfk32.exe 107 PID 5016 wrote to memory of 3904 5016 Mdckfk32.exe 107 PID 3904 wrote to memory of 4996 3904 Mpjlklok.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\610eb02ce15093910e335dcdfca31c51.exe"C:\Users\Admin\AppData\Local\Temp\610eb02ce15093910e335dcdfca31c51.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe23⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe25⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe27⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe28⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe29⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe30⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe31⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe34⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe36⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe37⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe38⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe39⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe40⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe41⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe42⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe43⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe44⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe45⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe46⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe49⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe50⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe51⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe52⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe53⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe54⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe55⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe56⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe57⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe58⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe59⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe60⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe61⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe62⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe63⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe64⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe65⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe66⤵PID:496
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe68⤵PID:788
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe69⤵PID:4940
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe70⤵PID:3548
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe71⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe73⤵PID:3268
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe74⤵PID:1372
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe75⤵PID:4324
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe76⤵PID:1884
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe77⤵PID:4956
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe78⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe79⤵PID:852
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe80⤵PID:1604
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe81⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe82⤵PID:4560
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe83⤵PID:3708
-
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe84⤵PID:4644
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe85⤵
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe86⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe87⤵PID:836
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4440 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe89⤵PID:3968
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe90⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe91⤵PID:2488
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe92⤵PID:772
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe93⤵
- Drops file in System32 directory
PID:4392 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe94⤵PID:3864
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe95⤵PID:2916
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe96⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe97⤵PID:3532
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe98⤵PID:3712
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe99⤵PID:844
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe100⤵PID:2832
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe101⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe102⤵PID:3992
-
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe103⤵PID:4268
-
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe104⤵PID:4168
-
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe106⤵PID:1592
-
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe107⤵PID:1616
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe108⤵PID:456
-
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe109⤵PID:3008
-
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe110⤵PID:3576
-
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3948 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe112⤵PID:1228
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe113⤵PID:4820
-
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe114⤵
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe115⤵PID:4692
-
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe116⤵PID:2196
-
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe117⤵PID:4540
-
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe118⤵PID:1164
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe119⤵PID:3080
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe120⤵PID:3168
-
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-