Analysis
-
max time kernel
136s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe
-
Size
224KB
-
MD5
bdb79a5a71ed544e6fe6544abee494bd
-
SHA1
3709988e86b88c7b77fbadb0caa1fe1e58963e1a
-
SHA256
5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65
-
SHA512
3d205c46db786958fad5345ae845e8013efc3600ce2a0054f33195c824e25ed014e97701ce0dc890cbe7d18be2818f6a6a966fdd9c1cc1359d8490fda6246be6
-
SSDEEP
6144:Q3QvAhsBrdPVE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:IG4sBrkaAD6RrI1+lDML
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpinmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekonpckp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnblnlhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmjkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdpgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcgdhkem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnojho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifkpknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaenbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncbafoge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffcpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlblcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdhffg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lplfcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggfglb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4068 Jqknkedi.exe 2564 Kjccdkki.exe 2384 Kdigadjo.exe 4928 Kggcnoic.exe 3540 Knalji32.exe 4652 Knchpiom.exe 2840 Kdmqmc32.exe 2408 Kjjiej32.exe 3996 Kqdaadln.exe 4944 Kkjeomld.exe 4064 Kdbjhbbd.exe 1716 Ljobpiql.exe 4836 Lddgmbpb.exe 1304 Lknojl32.exe 3944 Lmpkadnm.exe 1920 Lnohlgep.exe 1460 Lclpdncg.exe 3496 Lnadagbm.exe 812 Lcnmin32.exe 2084 Ljhefhha.exe 2672 Lenicahg.exe 2920 Mkhapk32.exe 2924 Mgobel32.exe 3316 Mnhkbfme.exe 3412 Mcecjmkl.exe 2892 Mjokgg32.exe 1656 Mchppmij.exe 1200 Mjahlgpf.exe 3456 Mjdebfnd.exe 1956 Mmbanbmg.exe 2692 Nlcalieg.exe 4268 Nelfeo32.exe 1000 Ngjbaj32.exe 3872 Nndjndbh.exe 4316 Nabfjpak.exe 5044 Nhmofj32.exe 4108 Nnfgcd32.exe 3276 Neqopnhb.exe 1876 Nlkgmh32.exe 868 Nmlddqem.exe 3640 Neclenfo.exe 4568 Njpdnedf.exe 3252 Najmjokc.exe 2628 Odhifjkg.exe 4996 Oloahhki.exe 3648 Omqmop32.exe 1772 Ohfami32.exe 4156 Ojdnid32.exe 4300 Oanfen32.exe 1320 Odmbaj32.exe 2416 Oldjcg32.exe 4704 Omegjomb.exe 4828 Oaqbkn32.exe 1676 Ohkkhhmh.exe 3712 Oodcdb32.exe 4668 Oacoqnci.exe 4980 Ohmhmh32.exe 4632 Okkdic32.exe 2372 Pddhbipj.exe 1624 Plkpcfal.exe 2712 Pmlmkn32.exe 4380 Pdfehh32.exe 5140 Pkpmdbfd.exe 5188 Pajeam32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppolhcnm.exe Pmpolgoi.exe File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe Kpqggh32.exe File opened for modification C:\Windows\SysWOW64\Badanigc.exe Boeebnhp.exe File created C:\Windows\SysWOW64\Efblbbqd.exe Eoideh32.exe File created C:\Windows\SysWOW64\Alnfpcag.exe Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Bddjpd32.exe Bafndi32.exe File created C:\Windows\SysWOW64\Qckcba32.dll Ppdbgncl.exe File opened for modification C:\Windows\SysWOW64\Hoeieolb.exe Hlglidlo.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Fpenlneh.dll Nqoloc32.exe File created C:\Windows\SysWOW64\Amikgpcc.exe Apeknk32.exe File created C:\Windows\SysWOW64\Kbpkkeen.dll Biklho32.exe File created C:\Windows\SysWOW64\Nbnimm32.dll Kdmqmc32.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fofilp32.exe File created C:\Windows\SysWOW64\Ecipcemb.dll Fiqjke32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Lancko32.exe File opened for modification C:\Windows\SysWOW64\Hfaajnfb.exe Gpgind32.exe File created C:\Windows\SysWOW64\Jngbjd32.exe Jepjhg32.exe File opened for modification C:\Windows\SysWOW64\Nopfpgip.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Eonklp32.dll Jqknkedi.exe File created C:\Windows\SysWOW64\Lancko32.exe Lplfcf32.exe File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Imiehfao.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Jenmcggo.exe File opened for modification C:\Windows\SysWOW64\Jcanll32.exe Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Mnegbp32.exe Mgloefco.exe File created C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File created C:\Windows\SysWOW64\Jekqmhia.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Knnhjcog.exe Kegpifod.exe File created C:\Windows\SysWOW64\Appfnncn.dll Kpmdfonj.exe File created C:\Windows\SysWOW64\Kpdjljdk.dll Lfjfecno.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qdaniq32.exe File created C:\Windows\SysWOW64\Epoaed32.dll Ddifgk32.exe File opened for modification C:\Windows\SysWOW64\Iplkpa32.exe Iibccgep.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jcoaglhk.exe File created C:\Windows\SysWOW64\Egdagc32.dll Jcanll32.exe File created C:\Windows\SysWOW64\Dndfnlpc.dll Ofgdcipq.exe File created C:\Windows\SysWOW64\Cqmmqg32.dll Efgemb32.exe File created C:\Windows\SysWOW64\Jihiic32.dll Nopfpgip.exe File opened for modification C:\Windows\SysWOW64\Cdnmfclj.exe Cbpajgmf.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Imgicgca.exe File created C:\Windows\SysWOW64\Coegoe32.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Lpiaimfg.dll Ipbaol32.exe File opened for modification C:\Windows\SysWOW64\Kkjeomld.exe Kqdaadln.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Gfodeohd.exe Goglcahb.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Fneggdhg.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Mnegbp32.exe Mgloefco.exe File opened for modification C:\Windows\SysWOW64\Mbgeqmjp.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Hmnajl32.dll Mmbanbmg.exe File created C:\Windows\SysWOW64\Cofnik32.exe Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Dnbakghm.exe Dmadco32.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Hpnoncim.exe Hehkajig.exe File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe Hiipmhmk.exe File opened for modification C:\Windows\SysWOW64\Jjpode32.exe Jgbchj32.exe File created C:\Windows\SysWOW64\Kcpjnjii.exe Kpanan32.exe File created C:\Windows\SysWOW64\Aojefobm.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Iialhaad.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Iialhaad.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe Nqfbpb32.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cancekeo.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lnadagbm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12652 12612 WerFault.exe 649 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llobhg32.dll" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kplmliko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbbpmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dngjff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" Nadleilm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oloahhki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdlangb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbkqfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll" Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll" Enfckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmlmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcoaglhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegac32.dll" Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hblkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ganldgib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodiqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oophlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfkeh32.dll" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofegni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnhkbfme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4068 3212 5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe 90 PID 3212 wrote to memory of 4068 3212 5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe 90 PID 3212 wrote to memory of 4068 3212 5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe 90 PID 4068 wrote to memory of 2564 4068 Jqknkedi.exe 91 PID 4068 wrote to memory of 2564 4068 Jqknkedi.exe 91 PID 4068 wrote to memory of 2564 4068 Jqknkedi.exe 91 PID 2564 wrote to memory of 2384 2564 Kjccdkki.exe 92 PID 2564 wrote to memory of 2384 2564 Kjccdkki.exe 92 PID 2564 wrote to memory of 2384 2564 Kjccdkki.exe 92 PID 2384 wrote to memory of 4928 2384 Kdigadjo.exe 93 PID 2384 wrote to memory of 4928 2384 Kdigadjo.exe 93 PID 2384 wrote to memory of 4928 2384 Kdigadjo.exe 93 PID 4928 wrote to memory of 3540 4928 Kggcnoic.exe 94 PID 4928 wrote to memory of 3540 4928 Kggcnoic.exe 94 PID 4928 wrote to memory of 3540 4928 Kggcnoic.exe 94 PID 3540 wrote to memory of 4652 3540 Knalji32.exe 95 PID 3540 wrote to memory of 4652 3540 Knalji32.exe 95 PID 3540 wrote to memory of 4652 3540 Knalji32.exe 95 PID 4652 wrote to memory of 2840 4652 Knchpiom.exe 96 PID 4652 wrote to memory of 2840 4652 Knchpiom.exe 96 PID 4652 wrote to memory of 2840 4652 Knchpiom.exe 96 PID 2840 wrote to memory of 2408 2840 Kdmqmc32.exe 97 PID 2840 wrote to memory of 2408 2840 Kdmqmc32.exe 97 PID 2840 wrote to memory of 2408 2840 Kdmqmc32.exe 97 PID 2408 wrote to memory of 3996 2408 Kjjiej32.exe 98 PID 2408 wrote to memory of 3996 2408 Kjjiej32.exe 98 PID 2408 wrote to memory of 3996 2408 Kjjiej32.exe 98 PID 3996 wrote to memory of 4944 3996 Kqdaadln.exe 99 PID 3996 wrote to memory of 4944 3996 Kqdaadln.exe 99 PID 3996 wrote to memory of 4944 3996 Kqdaadln.exe 99 PID 4944 wrote to memory of 4064 4944 Kkjeomld.exe 100 PID 4944 wrote to memory of 4064 4944 Kkjeomld.exe 100 PID 4944 wrote to memory of 4064 4944 Kkjeomld.exe 100 PID 4064 wrote to memory of 1716 4064 Kdbjhbbd.exe 101 PID 4064 wrote to memory of 1716 4064 Kdbjhbbd.exe 101 PID 4064 wrote to memory of 1716 4064 Kdbjhbbd.exe 101 PID 1716 wrote to memory of 4836 1716 Ljobpiql.exe 102 PID 1716 wrote to memory of 4836 1716 Ljobpiql.exe 102 PID 1716 wrote to memory of 4836 1716 Ljobpiql.exe 102 PID 4836 wrote to memory of 1304 4836 Lddgmbpb.exe 103 PID 4836 wrote to memory of 1304 4836 Lddgmbpb.exe 103 PID 4836 wrote to memory of 1304 4836 Lddgmbpb.exe 103 PID 1304 wrote to memory of 3944 1304 Lknojl32.exe 104 PID 1304 wrote to memory of 3944 1304 Lknojl32.exe 104 PID 1304 wrote to memory of 3944 1304 Lknojl32.exe 104 PID 3944 wrote to memory of 1920 3944 Lmpkadnm.exe 106 PID 3944 wrote to memory of 1920 3944 Lmpkadnm.exe 106 PID 3944 wrote to memory of 1920 3944 Lmpkadnm.exe 106 PID 1920 wrote to memory of 1460 1920 Lnohlgep.exe 107 PID 1920 wrote to memory of 1460 1920 Lnohlgep.exe 107 PID 1920 wrote to memory of 1460 1920 Lnohlgep.exe 107 PID 1460 wrote to memory of 3496 1460 Lclpdncg.exe 108 PID 1460 wrote to memory of 3496 1460 Lclpdncg.exe 108 PID 1460 wrote to memory of 3496 1460 Lclpdncg.exe 108 PID 3496 wrote to memory of 812 3496 Lnadagbm.exe 110 PID 3496 wrote to memory of 812 3496 Lnadagbm.exe 110 PID 3496 wrote to memory of 812 3496 Lnadagbm.exe 110 PID 812 wrote to memory of 2084 812 Lcnmin32.exe 111 PID 812 wrote to memory of 2084 812 Lcnmin32.exe 111 PID 812 wrote to memory of 2084 812 Lcnmin32.exe 111 PID 2084 wrote to memory of 2672 2084 Ljhefhha.exe 112 PID 2084 wrote to memory of 2672 2084 Ljhefhha.exe 112 PID 2084 wrote to memory of 2672 2084 Ljhefhha.exe 112 PID 2672 wrote to memory of 2920 2672 Lenicahg.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe"C:\Users\Admin\AppData\Local\Temp\5fd23abec4523d200b1e26a5023858fd10a056de0feff1f8c32c0f71c2bf0d65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe23⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe26⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe27⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe28⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe29⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe34⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe35⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe37⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe38⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe39⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe41⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe42⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe43⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe44⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe45⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe47⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe48⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe49⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe50⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe52⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe53⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe54⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe55⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe56⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe57⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe58⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe59⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe61⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe63⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe64⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe65⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe66⤵PID:5228
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe67⤵PID:5268
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe68⤵PID:5304
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe69⤵PID:5348
-
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe70⤵PID:5392
-
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe71⤵PID:5436
-
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe72⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe73⤵PID:5524
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe74⤵PID:5584
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe75⤵PID:5644
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe76⤵PID:5684
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe77⤵PID:5724
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe78⤵PID:5768
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe79⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe80⤵PID:5848
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe81⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe82⤵PID:5932
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe83⤵PID:5972
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe84⤵PID:6020
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe85⤵PID:6056
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe86⤵PID:6100
-
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe87⤵PID:5124
-
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe88⤵PID:5208
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe89⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe90⤵PID:5428
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe91⤵PID:5508
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe92⤵PID:5628
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe93⤵PID:5712
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe95⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe96⤵PID:5916
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe97⤵PID:6012
-
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe99⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe100⤵PID:5288
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe101⤵PID:5400
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe102⤵PID:5632
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe103⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe104⤵PID:5940
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe105⤵PID:5996
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe108⤵PID:5580
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe109⤵PID:5756
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe110⤵PID:6008
-
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe111⤵PID:6064
-
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe112⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe113⤵PID:5896
-
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe114⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe115⤵PID:5764
-
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe116⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe117⤵PID:5912
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe118⤵PID:6172
-
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe119⤵PID:6224
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe120⤵PID:6260
-
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe121⤵PID:6332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-