Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe
-
Size
96KB
-
MD5
11c9d5810cb6f455b73ba786eadcce90
-
SHA1
9b328ffec1e6c2eb893b5f2d77ef780652a6e645
-
SHA256
d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc
-
SHA512
924b4399c0a903ff0b7a88b2472c79cc84496b07d57a0df513061c412b9fafbde64e0f7e010c2fe9c9beb23ff230697649c19405cefa623ea040f3946591e59e
-
SSDEEP
1536:Os3Ymfq08pqKDXd+XxVBnmTJE4Nnqt0am/sfs7+s/BOmOCMy0QiLiizHNQNdq:B3lq0qn+BoJBqt0a0sfs7+s5OmOCMyEr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoiefmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkiqbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keonap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgopidgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadqlkep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhcfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eadopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kldmckic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mahnhhod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbhpch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1312 Ldkojb32.exe 372 Liggbi32.exe 2868 Laopdgcg.exe 2240 Ldmlpbbj.exe 2984 Lgkhlnbn.exe 1924 Lijdhiaa.exe 5004 Lpcmec32.exe 3272 Lcbiao32.exe 3504 Lkiqbl32.exe 2896 Laciofpa.exe 4816 Ldaeka32.exe 4016 Lcdegnep.exe 3460 Lnjjdgee.exe 4808 Mjqjih32.exe 3060 Mahbje32.exe 4988 Mciobn32.exe 4708 Mkpgck32.exe 4272 Mnocof32.exe 3696 Mdiklqhm.exe 2800 Mpolqa32.exe 4044 Mkepnjng.exe 1828 Mncmjfmk.exe 5068 Mpaifalo.exe 4532 Mpdelajl.exe 4276 Mcbahlip.exe 1340 Nacbfdao.exe 2364 Nklfoi32.exe 3532 Nqiogp32.exe 2836 Ncgkcl32.exe 2988 Nnmopdep.exe 2880 Ncihikcg.exe 4992 Ndidbn32.exe 1964 Ndkahnhh.exe 208 Ncnadk32.exe 1808 Ondeac32.exe 2140 Oqbamo32.exe 904 Ogljjiei.exe 5020 Ogogoi32.exe 3724 Onholckc.exe 1476 Okloegjl.exe 1224 Oqihnn32.exe 1660 Ojalgcnd.exe 2592 Pcjapi32.exe 4176 Pkaiqf32.exe 436 Pbkamqmd.exe 3304 Pghieg32.exe 3932 Pkceffcd.exe 4352 Pbmncp32.exe 1140 Peljol32.exe 1460 Pgjfkg32.exe 1848 Pndohaqe.exe 4648 Pabkdmpi.exe 1748 Pcagphom.exe 2532 Pkhoae32.exe 5032 Pnfkma32.exe 456 Pbbgnpgl.exe 3548 Peqcjkfp.exe 440 Pkjlge32.exe 5060 Pjmlbbdg.exe 1580 Pagdol32.exe 5112 Qcepkg32.exe 1108 Qkmhlekj.exe 220 Qjpiha32.exe 2696 Qbgqio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cghane32.dll Process not Found File created C:\Windows\SysWOW64\Bmemac32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Pbjnik32.dll Fmfnpa32.exe File created C:\Windows\SysWOW64\Iofeei32.dll Jlhljhbg.exe File created C:\Windows\SysWOW64\Gmfmgg32.dll Kcndbp32.exe File created C:\Windows\SysWOW64\Gbdqegoi.dll Omegjomb.exe File created C:\Windows\SysWOW64\Pqindg32.dll Process not Found File created C:\Windows\SysWOW64\Lokdnjkg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Process not Found File created C:\Windows\SysWOW64\Gfniiokn.dll Pcagphom.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Ebommi32.exe File opened for modification C:\Windows\SysWOW64\Eiieicml.exe Ejfeng32.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Fbhpch32.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe Process not Found File created C:\Windows\SysWOW64\Ggmookkn.dll Neppokal.exe File created C:\Windows\SysWOW64\Ajjjocap.exe Aqaffn32.exe File opened for modification C:\Windows\SysWOW64\Epmmqheb.exe Process not Found File created C:\Windows\SysWOW64\Gpgind32.exe Process not Found File created C:\Windows\SysWOW64\Ljbncc32.dll Ajkaii32.exe File created C:\Windows\SysWOW64\Iangld32.dll Ijcahd32.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Process not Found File created C:\Windows\SysWOW64\Oiccje32.exe Process not Found File created C:\Windows\SysWOW64\Medqcmki.exe Mbedga32.exe File created C:\Windows\SysWOW64\Dbeojn32.dll Jlfpdh32.exe File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Process not Found File created C:\Windows\SysWOW64\Lckiihok.exe Process not Found File created C:\Windows\SysWOW64\Mpaifalo.exe Mncmjfmk.exe File opened for modification C:\Windows\SysWOW64\Dcigeooj.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Pkegpb32.exe Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Neoieenp.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Mimcmnpn.dll Alnfpcag.exe File created C:\Windows\SysWOW64\Hkdoio32.dll Process not Found File created C:\Windows\SysWOW64\Pnkbkk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mciobn32.exe Mahbje32.exe File opened for modification C:\Windows\SysWOW64\Eofbch32.exe Elgfgl32.exe File created C:\Windows\SysWOW64\Hpdlhkad.dll Ehiffh32.exe File created C:\Windows\SysWOW64\Gojnko32.exe Gkobjpin.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Lcccepbd.dll Process not Found File created C:\Windows\SysWOW64\Qoqbfpfe.dll Ageolo32.exe File created C:\Windows\SysWOW64\Qfkjii32.dll Jqdoem32.exe File opened for modification C:\Windows\SysWOW64\Cmflbf32.exe Cbphdn32.exe File created C:\Windows\SysWOW64\Fmfnpa32.exe Fikbocki.exe File created C:\Windows\SysWOW64\Cojlbcgp.dll Ldjhpl32.exe File created C:\Windows\SysWOW64\Bbnkonbd.exe Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Domdjj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Process not Found File created C:\Windows\SysWOW64\Dfdjmlhn.dll Ognpebpj.exe File created C:\Windows\SysWOW64\Jnnpdg32.exe Jkodhk32.exe File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe Hgnoki32.exe File created C:\Windows\SysWOW64\Indfca32.exe Igjngh32.exe File created C:\Windows\SysWOW64\Nlmdbh32.exe Nagpeo32.exe File opened for modification C:\Windows\SysWOW64\Iogopi32.exe Process not Found File created C:\Windows\SysWOW64\Bdolhc32.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Njkdbljm.dll Ecmeig32.exe File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe Ajanck32.exe File created C:\Windows\SysWOW64\Qihfjd32.dll Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhkgoiqe.exe Lihfcm32.exe File created C:\Windows\SysWOW64\Ngaionfl.exe Npgabc32.exe File created C:\Windows\SysWOW64\Cgieglah.dll Pifnhpmi.exe File created C:\Windows\SysWOW64\Eecphp32.exe Process not Found File created C:\Windows\SysWOW64\Lenamdem.exe Ldleel32.exe File created C:\Windows\SysWOW64\Oahicipe.dll Aglemn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3028 14316 Process not Found 1560 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknombmk.dll" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdhcbgd.dll" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkabjbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdbdcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmppfooc.dll" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqoiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdnhmdp.dll" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbcqiope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbociolq.dll" Bkkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnnep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfbkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbidimc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmoafdl.dll" Iqipio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkibb32.dll" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiaglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oigllh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fomhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohdbiic.dll" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipfed32.dll" Emaedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmakofh.dll" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Hfifmnij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1312 1784 d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe 83 PID 1784 wrote to memory of 1312 1784 d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe 83 PID 1784 wrote to memory of 1312 1784 d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe 83 PID 1312 wrote to memory of 372 1312 Ldkojb32.exe 84 PID 1312 wrote to memory of 372 1312 Ldkojb32.exe 84 PID 1312 wrote to memory of 372 1312 Ldkojb32.exe 84 PID 372 wrote to memory of 2868 372 Liggbi32.exe 85 PID 372 wrote to memory of 2868 372 Liggbi32.exe 85 PID 372 wrote to memory of 2868 372 Liggbi32.exe 85 PID 2868 wrote to memory of 2240 2868 Laopdgcg.exe 86 PID 2868 wrote to memory of 2240 2868 Laopdgcg.exe 86 PID 2868 wrote to memory of 2240 2868 Laopdgcg.exe 86 PID 2240 wrote to memory of 2984 2240 Ldmlpbbj.exe 87 PID 2240 wrote to memory of 2984 2240 Ldmlpbbj.exe 87 PID 2240 wrote to memory of 2984 2240 Ldmlpbbj.exe 87 PID 2984 wrote to memory of 1924 2984 Lgkhlnbn.exe 88 PID 2984 wrote to memory of 1924 2984 Lgkhlnbn.exe 88 PID 2984 wrote to memory of 1924 2984 Lgkhlnbn.exe 88 PID 1924 wrote to memory of 5004 1924 Lijdhiaa.exe 89 PID 1924 wrote to memory of 5004 1924 Lijdhiaa.exe 89 PID 1924 wrote to memory of 5004 1924 Lijdhiaa.exe 89 PID 5004 wrote to memory of 3272 5004 Lpcmec32.exe 90 PID 5004 wrote to memory of 3272 5004 Lpcmec32.exe 90 PID 5004 wrote to memory of 3272 5004 Lpcmec32.exe 90 PID 3272 wrote to memory of 3504 3272 Lcbiao32.exe 91 PID 3272 wrote to memory of 3504 3272 Lcbiao32.exe 91 PID 3272 wrote to memory of 3504 3272 Lcbiao32.exe 91 PID 3504 wrote to memory of 2896 3504 Lkiqbl32.exe 92 PID 3504 wrote to memory of 2896 3504 Lkiqbl32.exe 92 PID 3504 wrote to memory of 2896 3504 Lkiqbl32.exe 92 PID 2896 wrote to memory of 4816 2896 Laciofpa.exe 93 PID 2896 wrote to memory of 4816 2896 Laciofpa.exe 93 PID 2896 wrote to memory of 4816 2896 Laciofpa.exe 93 PID 4816 wrote to memory of 4016 4816 Ldaeka32.exe 94 PID 4816 wrote to memory of 4016 4816 Ldaeka32.exe 94 PID 4816 wrote to memory of 4016 4816 Ldaeka32.exe 94 PID 4016 wrote to memory of 3460 4016 Lcdegnep.exe 95 PID 4016 wrote to memory of 3460 4016 Lcdegnep.exe 95 PID 4016 wrote to memory of 3460 4016 Lcdegnep.exe 95 PID 3460 wrote to memory of 4808 3460 Lnjjdgee.exe 96 PID 3460 wrote to memory of 4808 3460 Lnjjdgee.exe 96 PID 3460 wrote to memory of 4808 3460 Lnjjdgee.exe 96 PID 4808 wrote to memory of 3060 4808 Mjqjih32.exe 97 PID 4808 wrote to memory of 3060 4808 Mjqjih32.exe 97 PID 4808 wrote to memory of 3060 4808 Mjqjih32.exe 97 PID 3060 wrote to memory of 4988 3060 Mahbje32.exe 98 PID 3060 wrote to memory of 4988 3060 Mahbje32.exe 98 PID 3060 wrote to memory of 4988 3060 Mahbje32.exe 98 PID 4988 wrote to memory of 4708 4988 Mciobn32.exe 99 PID 4988 wrote to memory of 4708 4988 Mciobn32.exe 99 PID 4988 wrote to memory of 4708 4988 Mciobn32.exe 99 PID 4708 wrote to memory of 4272 4708 Mkpgck32.exe 100 PID 4708 wrote to memory of 4272 4708 Mkpgck32.exe 100 PID 4708 wrote to memory of 4272 4708 Mkpgck32.exe 100 PID 4272 wrote to memory of 3696 4272 Mnocof32.exe 101 PID 4272 wrote to memory of 3696 4272 Mnocof32.exe 101 PID 4272 wrote to memory of 3696 4272 Mnocof32.exe 101 PID 3696 wrote to memory of 2800 3696 Mdiklqhm.exe 102 PID 3696 wrote to memory of 2800 3696 Mdiklqhm.exe 102 PID 3696 wrote to memory of 2800 3696 Mdiklqhm.exe 102 PID 2800 wrote to memory of 4044 2800 Mpolqa32.exe 103 PID 2800 wrote to memory of 4044 2800 Mpolqa32.exe 103 PID 2800 wrote to memory of 4044 2800 Mpolqa32.exe 103 PID 4044 wrote to memory of 1828 4044 Mkepnjng.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe"C:\Users\Admin\AppData\Local\Temp\d51b36564be52cbf30aefa88500c5cf18b9b264821c0cfc436f92172a7857dfc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe25⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe26⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe27⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe28⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe29⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe30⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe31⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe32⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe34⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe35⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe36⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe38⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe39⤵PID:3128
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe40⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe41⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe42⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe43⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe44⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe45⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe46⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe47⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe49⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe50⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe51⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe52⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe53⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe54⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe57⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe58⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe59⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe60⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe61⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe62⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe63⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe64⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe65⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe66⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe67⤵PID:1444
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe68⤵PID:2384
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe69⤵PID:1692
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe70⤵PID:620
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe71⤵PID:2456
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe72⤵PID:516
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe73⤵PID:652
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe74⤵PID:468
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe75⤵PID:1388
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe76⤵PID:1068
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe77⤵PID:3664
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe79⤵PID:3100
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe80⤵PID:952
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe81⤵PID:4768
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe82⤵PID:1372
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe83⤵PID:2908
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe84⤵PID:3000
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe85⤵PID:648
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe86⤵
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe87⤵PID:2776
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe88⤵PID:2916
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe89⤵PID:3184
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe90⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe91⤵PID:4608
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe92⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe93⤵PID:4080
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe94⤵PID:3228
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe95⤵PID:4164
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe96⤵PID:4576
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe97⤵PID:1676
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe98⤵PID:4120
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe99⤵PID:2040
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe100⤵PID:2408
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe101⤵PID:1156
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe102⤵PID:2264
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe103⤵PID:5156
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe104⤵PID:5200
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe105⤵PID:5244
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe106⤵PID:5288
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe107⤵PID:5332
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe109⤵PID:5416
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe111⤵PID:5512
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe112⤵PID:5560
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe113⤵PID:5600
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe114⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe115⤵PID:5684
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe116⤵PID:5720
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe117⤵PID:5764
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe118⤵PID:5800
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe119⤵PID:5856
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe120⤵
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe121⤵PID:5940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-