Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 22:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe
-
Size
300KB
-
MD5
2baa280d0550242007e84dd730e857ba
-
SHA1
ddd3d85283d3d58433cc2005b3d03dcb8576fe69
-
SHA256
522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd
-
SHA512
947133cf913c6d4569c613b6fbb3c78ad77c499200652b586256a6239463b28df2958249729b9a480b94579dfa3125d9b279119a7bbb4f98f75443c4f9e5c1bf
-
SSDEEP
6144:wbUY9p2G/qufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:wbBoCymCjb87g4/c
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdckfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aegikj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahaplon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbkagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnnnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjaoci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaindh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcfmkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkconn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhpmgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggfnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbekqdjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laciofpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoiokfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpolee.exe -
Executes dropped EXE 64 IoCs
pid Process 1332 Kgphpo32.exe 4880 Kdcijcke.exe 3080 Kgbefoji.exe 3012 Kagichjo.exe 856 Kcifkp32.exe 1020 Kmnjhioc.exe 3300 Kajfig32.exe 1676 Kdhbec32.exe 740 Lmqgnhmp.exe 2160 Lpocjdld.exe 4532 Liggbi32.exe 2096 Lpappc32.exe 5048 Ldmlpbbj.exe 1052 Lkgdml32.exe 4592 Lnepih32.exe 2132 Laciofpa.exe 4780 Ljnnch32.exe 908 Laefdf32.exe 1172 Lknjmkdo.exe 4560 Mahbje32.exe 800 Mkpgck32.exe 1704 Mpmokb32.exe 4040 Mgghhlhq.exe 3684 Mamleegg.exe 5040 Mgidml32.exe 4904 Maohkd32.exe 3204 Mkgmcjld.exe 2612 Mpdelajl.exe 4332 Nkjjij32.exe 4472 Ndbnboqb.exe 5076 Nnjbke32.exe 4968 Nqiogp32.exe 4828 Nnmopdep.exe 2924 Nbkhfc32.exe 4076 Nbmelbid.exe 3036 Okeieh32.exe 4476 Oqbamo32.exe 4448 Okhfjh32.exe 3656 Obangb32.exe 1232 Okjbpglo.exe 1896 Obdkma32.exe 3588 Ocegdjij.exe 964 Oqihnn32.exe 1492 Ojalgcnd.exe 5032 Odgqdlnj.exe 3892 Pbkamqmd.exe 4172 Pclneicb.exe 4984 Pkceffcd.exe 1700 Pbmncp32.exe 2288 Peljol32.exe 1080 Pjhbgb32.exe 4944 Pbpjhp32.exe 4612 Pcagphom.exe 632 Pjkombfj.exe 1432 Peqcjkfp.exe 1692 Pgopffec.exe 4548 Pnihcq32.exe 3680 Qcepkg32.exe 5072 Qkmhlekj.exe 1756 Qajadlja.exe 3176 Qgciaf32.exe 2424 Qnnanphk.exe 3648 Aegikj32.exe 2960 Agffge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fpnfmjbo.dll Bfhadc32.exe File created C:\Windows\SysWOW64\Qgngnj32.dll Jnlbojee.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Process not Found File created C:\Windows\SysWOW64\Olgkhn32.dll Eeidoc32.exe File opened for modification C:\Windows\SysWOW64\Nipekiep.exe Ngaionfl.exe File created C:\Windows\SysWOW64\Olckbd32.exe Oidofh32.exe File created C:\Windows\SysWOW64\Ojnblg32.exe Ocdjpmac.exe File created C:\Windows\SysWOW64\Fqgocidj.dll Eibfck32.exe File created C:\Windows\SysWOW64\Coiaiakf.exe Ckmehb32.exe File created C:\Windows\SysWOW64\Lcgdbi32.dll Glhonj32.exe File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe Jdnoplhh.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Efhaoapj.dll Lmbmibhb.exe File created C:\Windows\SysWOW64\Mmgdfa32.dll Qfpbmfdf.exe File created C:\Windows\SysWOW64\Pidabppl.exe Pcjiff32.exe File opened for modification C:\Windows\SysWOW64\Glhonj32.exe Gdqgmmjb.exe File created C:\Windows\SysWOW64\Bgpmhl32.dll Imoneg32.exe File created C:\Windows\SysWOW64\Jbbfdfkn.exe Jodjhkkj.exe File created C:\Windows\SysWOW64\Ehiffj32.dll Gkgeoklj.exe File created C:\Windows\SysWOW64\Ckilmcgb.exe Cijpahho.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Process not Found File created C:\Windows\SysWOW64\Gbbkdl32.dll Mkgmcjld.exe File created C:\Windows\SysWOW64\Oddmdf32.exe Olmeci32.exe File created C:\Windows\SysWOW64\Gfheof32.exe Gbmingjo.exe File opened for modification C:\Windows\SysWOW64\Bddjpd32.exe Process not Found File created C:\Windows\SysWOW64\Pfnmog32.dll Process not Found File created C:\Windows\SysWOW64\Kmkfhc32.exe Kedoge32.exe File created C:\Windows\SysWOW64\Dekhneap.exe Dbllbibl.exe File created C:\Windows\SysWOW64\Egdeookg.dll Mhfppabl.exe File opened for modification C:\Windows\SysWOW64\Fkopnh32.exe Fhqcam32.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Process not Found File created C:\Windows\SysWOW64\Jocefm32.exe Process not Found File created C:\Windows\SysWOW64\Cedckdaj.dll Process not Found File created C:\Windows\SysWOW64\Eiecmmbf.dll Lbmhlihl.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Ioenpjfm.dll Bkdcbd32.exe File created C:\Windows\SysWOW64\Cfnqklgh.exe Ccpdoqgd.exe File created C:\Windows\SysWOW64\Lihcbd32.dll Process not Found File created C:\Windows\SysWOW64\Njciko32.exe Nfgmjqop.exe File opened for modification C:\Windows\SysWOW64\Bheffh32.exe Bblnindg.exe File created C:\Windows\SysWOW64\Pcjiff32.exe Pkcadhgm.exe File created C:\Windows\SysWOW64\Niklpj32.exe Nbadcpbh.exe File opened for modification C:\Windows\SysWOW64\Iafonaao.exe Ijogmdqm.exe File opened for modification C:\Windows\SysWOW64\Ijegcm32.exe Icknfcol.exe File created C:\Windows\SysWOW64\Jbgoof32.exe Jkmgblok.exe File created C:\Windows\SysWOW64\Bmomlnjk.exe Bjaqpbkh.exe File created C:\Windows\SysWOW64\Hpiecd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe Hkkhqd32.exe File created C:\Windows\SysWOW64\Phjenbhp.exe Pflibgil.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bnhjohkb.exe File created C:\Windows\SysWOW64\Gdcdbl32.exe Gbdgfa32.exe File opened for modification C:\Windows\SysWOW64\Egdqae32.exe Eecdjmfi.exe File created C:\Windows\SysWOW64\Aqlelp32.dll Lpkiph32.exe File opened for modification C:\Windows\SysWOW64\Llbidimc.exe Lidmhmnp.exe File created C:\Windows\SysWOW64\Dphefd32.dll Jjmcnbdm.exe File created C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File created C:\Windows\SysWOW64\Dfmioc32.dll Elbhjp32.exe File created C:\Windows\SysWOW64\Lfkgaokd.dll Fhqcam32.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Process not Found File created C:\Windows\SysWOW64\Kfmcjh32.dll Iohjlmeg.exe File created C:\Windows\SysWOW64\Lmdijf32.dll Poodpmca.exe File created C:\Windows\SysWOW64\Jcoaglhk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cdkifmjq.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 13096 12904 Process not Found 1497 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ophjiaql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhbkinel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejlephc.dll" Dabhdinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbhlgio.dll" Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdhh32.dll" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhmomen.dll" Ifdonfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjenbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipnjab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhjoabm.dll" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebneoob.dll" Fojedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkbod32.dll" Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbdcgld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhokgpp.dll" Gfbibikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plopnh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opemca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmbndpm.dll" Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkgkapm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmgfgdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1332 1544 522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe 79 PID 1544 wrote to memory of 1332 1544 522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe 79 PID 1544 wrote to memory of 1332 1544 522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe 79 PID 1332 wrote to memory of 4880 1332 Kgphpo32.exe 80 PID 1332 wrote to memory of 4880 1332 Kgphpo32.exe 80 PID 1332 wrote to memory of 4880 1332 Kgphpo32.exe 80 PID 4880 wrote to memory of 3080 4880 Kdcijcke.exe 81 PID 4880 wrote to memory of 3080 4880 Kdcijcke.exe 81 PID 4880 wrote to memory of 3080 4880 Kdcijcke.exe 81 PID 3080 wrote to memory of 3012 3080 Kgbefoji.exe 82 PID 3080 wrote to memory of 3012 3080 Kgbefoji.exe 82 PID 3080 wrote to memory of 3012 3080 Kgbefoji.exe 82 PID 3012 wrote to memory of 856 3012 Kagichjo.exe 83 PID 3012 wrote to memory of 856 3012 Kagichjo.exe 83 PID 3012 wrote to memory of 856 3012 Kagichjo.exe 83 PID 856 wrote to memory of 1020 856 Kcifkp32.exe 85 PID 856 wrote to memory of 1020 856 Kcifkp32.exe 85 PID 856 wrote to memory of 1020 856 Kcifkp32.exe 85 PID 1020 wrote to memory of 3300 1020 Kmnjhioc.exe 86 PID 1020 wrote to memory of 3300 1020 Kmnjhioc.exe 86 PID 1020 wrote to memory of 3300 1020 Kmnjhioc.exe 86 PID 3300 wrote to memory of 1676 3300 Kajfig32.exe 87 PID 3300 wrote to memory of 1676 3300 Kajfig32.exe 87 PID 3300 wrote to memory of 1676 3300 Kajfig32.exe 87 PID 1676 wrote to memory of 740 1676 Kdhbec32.exe 89 PID 1676 wrote to memory of 740 1676 Kdhbec32.exe 89 PID 1676 wrote to memory of 740 1676 Kdhbec32.exe 89 PID 740 wrote to memory of 2160 740 Lmqgnhmp.exe 90 PID 740 wrote to memory of 2160 740 Lmqgnhmp.exe 90 PID 740 wrote to memory of 2160 740 Lmqgnhmp.exe 90 PID 2160 wrote to memory of 4532 2160 Lpocjdld.exe 91 PID 2160 wrote to memory of 4532 2160 Lpocjdld.exe 91 PID 2160 wrote to memory of 4532 2160 Lpocjdld.exe 91 PID 4532 wrote to memory of 2096 4532 Liggbi32.exe 93 PID 4532 wrote to memory of 2096 4532 Liggbi32.exe 93 PID 4532 wrote to memory of 2096 4532 Liggbi32.exe 93 PID 2096 wrote to memory of 5048 2096 Lpappc32.exe 94 PID 2096 wrote to memory of 5048 2096 Lpappc32.exe 94 PID 2096 wrote to memory of 5048 2096 Lpappc32.exe 94 PID 5048 wrote to memory of 1052 5048 Ldmlpbbj.exe 95 PID 5048 wrote to memory of 1052 5048 Ldmlpbbj.exe 95 PID 5048 wrote to memory of 1052 5048 Ldmlpbbj.exe 95 PID 1052 wrote to memory of 4592 1052 Lkgdml32.exe 96 PID 1052 wrote to memory of 4592 1052 Lkgdml32.exe 96 PID 1052 wrote to memory of 4592 1052 Lkgdml32.exe 96 PID 4592 wrote to memory of 2132 4592 Lnepih32.exe 97 PID 4592 wrote to memory of 2132 4592 Lnepih32.exe 97 PID 4592 wrote to memory of 2132 4592 Lnepih32.exe 97 PID 2132 wrote to memory of 4780 2132 Laciofpa.exe 98 PID 2132 wrote to memory of 4780 2132 Laciofpa.exe 98 PID 2132 wrote to memory of 4780 2132 Laciofpa.exe 98 PID 4780 wrote to memory of 908 4780 Ljnnch32.exe 99 PID 4780 wrote to memory of 908 4780 Ljnnch32.exe 99 PID 4780 wrote to memory of 908 4780 Ljnnch32.exe 99 PID 908 wrote to memory of 1172 908 Laefdf32.exe 100 PID 908 wrote to memory of 1172 908 Laefdf32.exe 100 PID 908 wrote to memory of 1172 908 Laefdf32.exe 100 PID 1172 wrote to memory of 4560 1172 Lknjmkdo.exe 101 PID 1172 wrote to memory of 4560 1172 Lknjmkdo.exe 101 PID 1172 wrote to memory of 4560 1172 Lknjmkdo.exe 101 PID 4560 wrote to memory of 800 4560 Mahbje32.exe 102 PID 4560 wrote to memory of 800 4560 Mahbje32.exe 102 PID 4560 wrote to memory of 800 4560 Mahbje32.exe 102 PID 800 wrote to memory of 1704 800 Mkpgck32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe"C:\Users\Admin\AppData\Local\Temp\522c74daa70e12285aace5033b5e60ccce8a99a28b16ca5a518f5c4d7cbc8ccd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe23⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe24⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe25⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe26⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe27⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3204 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe29⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe30⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe31⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe33⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe34⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe35⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe36⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe37⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe38⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe39⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe40⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe41⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe42⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe43⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe44⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe45⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe46⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe47⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe48⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe49⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe50⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe51⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe52⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe53⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe54⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe55⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe56⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe57⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe58⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe59⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe60⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe61⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe62⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe63⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe65⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe66⤵PID:1596
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe67⤵PID:1808
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe68⤵PID:5004
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe69⤵PID:3632
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe70⤵PID:4564
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4296 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe72⤵PID:4220
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe73⤵PID:900
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe74⤵PID:1836
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe75⤵PID:1320
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe76⤵PID:2016
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe77⤵PID:4116
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe78⤵PID:3616
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe79⤵PID:4976
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe81⤵PID:4832
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe82⤵PID:1280
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe83⤵PID:1272
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe85⤵PID:2456
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe86⤵PID:4924
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe87⤵PID:2796
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe88⤵PID:2108
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe89⤵PID:1120
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe90⤵PID:3040
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe91⤵PID:3672
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe93⤵PID:976
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe95⤵PID:3744
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe96⤵PID:4184
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe97⤵PID:4224
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe98⤵PID:1984
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe99⤵PID:4884
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe100⤵PID:2348
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe101⤵PID:3828
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe102⤵PID:5020
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe103⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe105⤵PID:2692
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe106⤵PID:4576
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe107⤵PID:4408
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe108⤵PID:3224
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe109⤵PID:4812
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe110⤵PID:3180
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe111⤵PID:388
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe112⤵PID:4412
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe113⤵PID:1604
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe114⤵PID:4876
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe115⤵PID:1916
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe116⤵PID:4044
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe117⤵PID:1600
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe118⤵PID:2400
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe119⤵PID:5136
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe120⤵PID:5180
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe121⤵PID:5216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-