Analysis
-
max time kernel
138s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 18:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe
-
Size
64KB
-
MD5
3f00ad9d2aac48f8a2f7e4d011722fbf
-
SHA1
3eb91e4edbcc107421ccbf0a6410dd3fe00de481
-
SHA256
0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b
-
SHA512
730a07e849f95f1e93ab183a81521150d0df41e8a509d8f77f12166c88f42d3d30b0f67c569638c0e83215b2f61143d1d5c0fe9abfaee15f1dd4150c8645e826
-
SSDEEP
1536:9+vdwrL9CNeA4GSkVQMtJ24rUXruCHcpzt/Idn:u6rBI8IfL28pFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaldccip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokbgpeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehdfdek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljdai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciihjmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjiipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqgojmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhldbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekngemhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnhfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfdpfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinjhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlnfjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbeoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcpql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblbca32.exe -
Executes dropped EXE 64 IoCs
pid Process 1004 Kjjiej32.exe 812 Kqdaadln.exe 4748 Kcbnnpka.exe 4036 Kkjeomld.exe 4992 Knhakh32.exe 4140 Kcejco32.exe 2532 Lklbdm32.exe 3940 Lnjnqh32.exe 716 Lddgmbpb.exe 3636 Lgccinoe.exe 2268 Lnmkfh32.exe 4280 Lcjcnoej.exe 1620 Lkalplel.exe 3208 Lmbhgd32.exe 3308 Lclpdncg.exe 4020 Ljfhqh32.exe 4432 Lmdemd32.exe 4004 Lcnmin32.exe 4960 Lqbncb32.exe 548 Mglfplgk.exe 3344 Mnfnlf32.exe 3812 Mepfiq32.exe 3660 Mgobel32.exe 456 Mjmoag32.exe 1580 Mcecjmkl.exe 640 Mjokgg32.exe 772 Maiccajf.exe 3956 Mchppmij.exe 3040 Mkohaj32.exe 4696 Malpia32.exe 4928 Mgehfkop.exe 4468 Mnpabe32.exe 1608 Nclikl32.exe 1512 Nghekkmn.exe 3760 Napjdpcn.exe 2192 Nlfnaicd.exe 1388 Nmgjia32.exe 2956 Nenbjo32.exe 4740 Nhmofj32.exe 4648 Njkkbehl.exe 4644 Naecop32.exe 3880 Nhokljge.exe 4612 Njmhhefi.exe 1192 Nmlddqem.exe 4584 Neclenfo.exe 2400 Ndflak32.exe 5060 Nlmdbh32.exe 3284 Nnkpnclp.exe 4024 Najmjokc.exe 2220 Oloahhki.exe 4840 Onnmdcjm.exe 2260 Odjeljhd.exe 2484 Ojdnid32.exe 1828 Omcjep32.exe 1604 Ohhnbhok.exe 2208 Ojgjndno.exe 5004 Oelolmnd.exe 4312 Olfghg32.exe 3580 Ojigdcll.exe 1480 Omgcpokp.exe 1996 Oeokal32.exe 2672 Olicnfco.exe 4116 Okkdic32.exe 832 Omjpeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cgifbhid.exe Chfegk32.exe File opened for modification C:\Windows\SysWOW64\Ofgdcipq.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Lgccinoe.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Ojgjndno.exe File opened for modification C:\Windows\SysWOW64\Coohhlpe.exe Blqllqqa.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gbnoiqdq.exe File created C:\Windows\SysWOW64\Hlbcnd32.exe Hffken32.exe File created C:\Windows\SysWOW64\Lqmmmmph.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Qfohjf32.dll Qemhbj32.exe File created C:\Windows\SysWOW64\Pghaae32.dll Cfipef32.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Knenkbio.exe File created C:\Windows\SysWOW64\Hmjbog32.dll Jhnojl32.exe File opened for modification C:\Windows\SysWOW64\Bpjmph32.exe Bipecnkd.exe File created C:\Windows\SysWOW64\Gmojkj32.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hmmfmhll.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Ofegni32.exe File opened for modification C:\Windows\SysWOW64\Ojigdcll.exe Olfghg32.exe File opened for modification C:\Windows\SysWOW64\Akepfpcl.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Hahqkaaa.dll Bdbnjdfg.exe File created C:\Windows\SysWOW64\Cdhffg32.exe Cajjjk32.exe File created C:\Windows\SysWOW64\Ffceip32.exe Fnlmhc32.exe File created C:\Windows\SysWOW64\Khgbqkhj.exe Klpakj32.exe File created C:\Windows\SysWOW64\Leldmdbk.dll Bmggingc.exe File created C:\Windows\SysWOW64\Cjeejn32.dll Ejlnfjbd.exe File created C:\Windows\SysWOW64\Ndflak32.exe Neclenfo.exe File created C:\Windows\SysWOW64\Gppcmeem.exe Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Pfccogfc.exe File created C:\Windows\SysWOW64\Qklmpalf.exe Qhmqdemc.exe File opened for modification C:\Windows\SysWOW64\Clchbqoo.exe Cfipef32.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Lnmodnoo.dll Njjdho32.exe File created C:\Windows\SysWOW64\Ecfjqmbc.dll Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Aeaanjkl.exe Amjillkj.exe File created C:\Windows\SysWOW64\Gbfnhm32.dll Njmhhefi.exe File created C:\Windows\SysWOW64\Phfjcf32.exe Pehngkcg.exe File created C:\Windows\SysWOW64\Aamknj32.exe Aonoao32.exe File opened for modification C:\Windows\SysWOW64\Ckmonl32.exe Cdbfab32.exe File created C:\Windows\SysWOW64\Fenghpla.dll Enbjad32.exe File opened for modification C:\Windows\SysWOW64\Jbagbebm.exe Jhkbdmbg.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Ljhnlb32.exe File created C:\Windows\SysWOW64\Mjaofnii.dll Binhnomg.exe File opened for modification C:\Windows\SysWOW64\Fmmmfj32.exe Fefedmil.exe File created C:\Windows\SysWOW64\Koaagkcb.exe Knqepc32.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hpioin32.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dngjff32.exe File created C:\Windows\SysWOW64\Akglloai.exe Ahippdbe.exe File created C:\Windows\SysWOW64\Baaelkfn.dll Ffnknafg.exe File opened for modification C:\Windows\SysWOW64\Ggkqgaol.exe Gbnhoj32.exe File created C:\Windows\SysWOW64\Jpecpo32.dll Khgbqkhj.exe File created C:\Windows\SysWOW64\Ddmhhd32.exe Dncpkjoc.exe File created C:\Windows\SysWOW64\Pecellgl.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Jpaekqhh.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Kffonkgk.dll Koodbl32.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Pnbmhkia.dll Adjjeieh.exe File opened for modification C:\Windows\SysWOW64\Mjnnbk32.exe Mfbaalbi.exe File created C:\Windows\SysWOW64\Mjmoag32.exe Mgobel32.exe File created C:\Windows\SysWOW64\Nmlddqem.exe Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Omjpeo32.exe Okkdic32.exe File created C:\Windows\SysWOW64\Adfgdpmi.exe Apjkcadp.exe File opened for modification C:\Windows\SysWOW64\Gpaihooo.exe Ggkqgaol.exe File created C:\Windows\SysWOW64\Ibegfglj.exe Iimcma32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14664 14584 WerFault.exe 727 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodjjimm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll" Nmaciefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll" Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopmii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Fgoakc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnaeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchppmij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll" Lnoaaaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajbaika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbnnpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Cgiohbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Pknqoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll" Ljnlecmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnjmc32.dll" Lddgmbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhmbihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnffhgon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcoccc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Pldcjeia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekeodnf.dll" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll" Fqphic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfaohbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fniihmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll" Dgihop32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1004 2792 0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe 90 PID 2792 wrote to memory of 1004 2792 0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe 90 PID 2792 wrote to memory of 1004 2792 0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe 90 PID 1004 wrote to memory of 812 1004 Kjjiej32.exe 91 PID 1004 wrote to memory of 812 1004 Kjjiej32.exe 91 PID 1004 wrote to memory of 812 1004 Kjjiej32.exe 91 PID 812 wrote to memory of 4748 812 Kqdaadln.exe 92 PID 812 wrote to memory of 4748 812 Kqdaadln.exe 92 PID 812 wrote to memory of 4748 812 Kqdaadln.exe 92 PID 4748 wrote to memory of 4036 4748 Kcbnnpka.exe 93 PID 4748 wrote to memory of 4036 4748 Kcbnnpka.exe 93 PID 4748 wrote to memory of 4036 4748 Kcbnnpka.exe 93 PID 4036 wrote to memory of 4992 4036 Kkjeomld.exe 94 PID 4036 wrote to memory of 4992 4036 Kkjeomld.exe 94 PID 4036 wrote to memory of 4992 4036 Kkjeomld.exe 94 PID 4992 wrote to memory of 4140 4992 Knhakh32.exe 95 PID 4992 wrote to memory of 4140 4992 Knhakh32.exe 95 PID 4992 wrote to memory of 4140 4992 Knhakh32.exe 95 PID 4140 wrote to memory of 2532 4140 Kcejco32.exe 96 PID 4140 wrote to memory of 2532 4140 Kcejco32.exe 96 PID 4140 wrote to memory of 2532 4140 Kcejco32.exe 96 PID 2532 wrote to memory of 3940 2532 Lklbdm32.exe 97 PID 2532 wrote to memory of 3940 2532 Lklbdm32.exe 97 PID 2532 wrote to memory of 3940 2532 Lklbdm32.exe 97 PID 3940 wrote to memory of 716 3940 Lnjnqh32.exe 98 PID 3940 wrote to memory of 716 3940 Lnjnqh32.exe 98 PID 3940 wrote to memory of 716 3940 Lnjnqh32.exe 98 PID 716 wrote to memory of 3636 716 Lddgmbpb.exe 99 PID 716 wrote to memory of 3636 716 Lddgmbpb.exe 99 PID 716 wrote to memory of 3636 716 Lddgmbpb.exe 99 PID 3636 wrote to memory of 2268 3636 Lgccinoe.exe 100 PID 3636 wrote to memory of 2268 3636 Lgccinoe.exe 100 PID 3636 wrote to memory of 2268 3636 Lgccinoe.exe 100 PID 2268 wrote to memory of 4280 2268 Lnmkfh32.exe 101 PID 2268 wrote to memory of 4280 2268 Lnmkfh32.exe 101 PID 2268 wrote to memory of 4280 2268 Lnmkfh32.exe 101 PID 4280 wrote to memory of 1620 4280 Lcjcnoej.exe 102 PID 4280 wrote to memory of 1620 4280 Lcjcnoej.exe 102 PID 4280 wrote to memory of 1620 4280 Lcjcnoej.exe 102 PID 1620 wrote to memory of 3208 1620 Lkalplel.exe 103 PID 1620 wrote to memory of 3208 1620 Lkalplel.exe 103 PID 1620 wrote to memory of 3208 1620 Lkalplel.exe 103 PID 3208 wrote to memory of 3308 3208 Lmbhgd32.exe 104 PID 3208 wrote to memory of 3308 3208 Lmbhgd32.exe 104 PID 3208 wrote to memory of 3308 3208 Lmbhgd32.exe 104 PID 3308 wrote to memory of 4020 3308 Lclpdncg.exe 105 PID 3308 wrote to memory of 4020 3308 Lclpdncg.exe 105 PID 3308 wrote to memory of 4020 3308 Lclpdncg.exe 105 PID 4020 wrote to memory of 4432 4020 Ljfhqh32.exe 106 PID 4020 wrote to memory of 4432 4020 Ljfhqh32.exe 106 PID 4020 wrote to memory of 4432 4020 Ljfhqh32.exe 106 PID 4432 wrote to memory of 4004 4432 Lmdemd32.exe 107 PID 4432 wrote to memory of 4004 4432 Lmdemd32.exe 107 PID 4432 wrote to memory of 4004 4432 Lmdemd32.exe 107 PID 4004 wrote to memory of 4960 4004 Lcnmin32.exe 108 PID 4004 wrote to memory of 4960 4004 Lcnmin32.exe 108 PID 4004 wrote to memory of 4960 4004 Lcnmin32.exe 108 PID 4960 wrote to memory of 548 4960 Lqbncb32.exe 109 PID 4960 wrote to memory of 548 4960 Lqbncb32.exe 109 PID 4960 wrote to memory of 548 4960 Lqbncb32.exe 109 PID 548 wrote to memory of 3344 548 Mglfplgk.exe 110 PID 548 wrote to memory of 3344 548 Mglfplgk.exe 110 PID 548 wrote to memory of 3344 548 Mglfplgk.exe 110 PID 3344 wrote to memory of 3812 3344 Mnfnlf32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe"C:\Users\Admin\AppData\Local\Temp\0a61a85c529c321a883a4452ecec0ade62c7d5e0a11753819d540768dd732f2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe23⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe25⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe26⤵PID:5100
-
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe27⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe28⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe29⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe31⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe32⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe33⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe34⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe35⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe36⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe37⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe38⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe39⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe41⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe42⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe43⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe44⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe46⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe48⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe49⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe51⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe53⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe54⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe55⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe56⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe57⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe59⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe61⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe62⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe63⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe64⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe67⤵PID:5132
-
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe68⤵PID:5176
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe70⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe71⤵PID:5300
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe72⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe73⤵PID:5400
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe75⤵PID:5488
-
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe76⤵PID:5520
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe78⤵PID:5616
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe79⤵PID:5660
-
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe80⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe81⤵PID:5748
-
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe82⤵PID:5792
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe83⤵PID:5832
-
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe84⤵PID:5892
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe85⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe86⤵PID:6008
-
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe87⤵PID:6056
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe88⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe89⤵PID:4712
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe91⤵PID:5260
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe92⤵PID:5296
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe93⤵PID:5380
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe94⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe95⤵PID:5516
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe98⤵PID:5732
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe99⤵PID:5828
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe101⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe102⤵PID:6092
-
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe103⤵PID:5140
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe104⤵PID:5240
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe105⤵PID:5376
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe107⤵PID:5580
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe108⤵PID:5704
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe109⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe110⤵PID:6016
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe111⤵PID:6080
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe112⤵PID:5208
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe113⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe114⤵PID:5552
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe115⤵PID:5788
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe116⤵PID:6084
-
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe117⤵PID:5344
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe118⤵PID:5680
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe119⤵PID:5600
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe120⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe121⤵PID:6168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-