Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 19:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe
Resource
win7-20240419-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe
-
Size
2.7MB
-
MD5
0fdad8199c72b4953e8b0bdf35580c0b
-
SHA1
7deb6cf87aa326521d696845304ec56dea0ebac9
-
SHA256
27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332
-
SHA512
610cdb040ac7b7fd31af6507725f91707d1cbadd65a4032f81b9d1ffda8f8140677fc33a7d1e3845f02d8d7cbc6672647c388a02b2fea9490198ffcfce14a55e
-
SSDEEP
12288:GG/vGs0ThvEDVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:GG/vGs0K5hqEfAL8WJm8MoC7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmplcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kappfeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgclfje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglipi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakcimgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kappfeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlkld32.exe -
Executes dropped EXE 64 IoCs
pid Process 2864 Ijoeji32.exe 2600 Iqljlb32.exe 2608 Jmbgpg32.exe 1936 Kappfeln.exe 2724 Kfmhol32.exe 2532 Kmgpkfab.exe 1700 Kfoedl32.exe 2688 Kinaqg32.exe 2676 Kphimanc.exe 1644 Kpjfba32.exe 1508 Khekgc32.exe 1360 Kdlkld32.exe 2208 Laplei32.exe 380 Ldqegd32.exe 1404 Limmokib.exe 1652 Ldcamcih.exe 1912 Lipjejgp.exe 308 Ldenbcge.exe 1464 Lefkjkmc.exe 284 Lplogdmj.exe 684 Mgfgdn32.exe 1712 Mhgclfje.exe 1408 Moalhq32.exe 2904 Maphdl32.exe 1424 Mlelaeqk.exe 2912 Mcodno32.exe 2596 Mkjica32.exe 2736 Madapkmp.exe 2616 Mdejaf32.exe 2744 Njbcim32.exe 2120 Nlblkhei.exe 2812 Nghphaeo.exe 1444 Nqqdag32.exe 616 Ngkmnacm.exe 1884 Nhlifi32.exe 1056 Ncancbha.exe 2404 Njkfpl32.exe 1460 Nkmbgdfl.exe 1280 Odegpj32.exe 2296 Okoomd32.exe 1680 Obigjnkf.exe 2936 Ogfpbeim.exe 3032 Obkdonic.exe 2668 Oghlgdgk.exe 2496 Obnqem32.exe 2308 Oqqapjnk.exe 1556 Ojieip32.exe 2212 Oenifh32.exe 272 Ongnonkb.exe 1664 Paejki32.exe 1924 Pjmodopf.exe 880 Ppjglfon.exe 3076 Pjpkjond.exe 3132 Ppmdbe32.exe 3184 Peiljl32.exe 3232 Ppoqge32.exe 3288 Pelipl32.exe 3336 Ppamme32.exe 3380 Pndniaop.exe 3444 Pijbfj32.exe 3504 Qljkhe32.exe 3556 Qagcpljo.exe 3612 Ahakmf32.exe 3676 Ankdiqih.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 2864 Ijoeji32.exe 2864 Ijoeji32.exe 2600 Iqljlb32.exe 2600 Iqljlb32.exe 2608 Jmbgpg32.exe 2608 Jmbgpg32.exe 1936 Kappfeln.exe 1936 Kappfeln.exe 2724 Kfmhol32.exe 2724 Kfmhol32.exe 2532 Kmgpkfab.exe 2532 Kmgpkfab.exe 1700 Kfoedl32.exe 1700 Kfoedl32.exe 2688 Kinaqg32.exe 2688 Kinaqg32.exe 2676 Kphimanc.exe 2676 Kphimanc.exe 1644 Kpjfba32.exe 1644 Kpjfba32.exe 1508 Khekgc32.exe 1508 Khekgc32.exe 1360 Kdlkld32.exe 1360 Kdlkld32.exe 2208 Laplei32.exe 2208 Laplei32.exe 380 Ldqegd32.exe 380 Ldqegd32.exe 1404 Limmokib.exe 1404 Limmokib.exe 1652 Ldcamcih.exe 1652 Ldcamcih.exe 1912 Lipjejgp.exe 1912 Lipjejgp.exe 308 Ldenbcge.exe 308 Ldenbcge.exe 1464 Lefkjkmc.exe 1464 Lefkjkmc.exe 284 Lplogdmj.exe 284 Lplogdmj.exe 684 Mgfgdn32.exe 684 Mgfgdn32.exe 1712 Mhgclfje.exe 1712 Mhgclfje.exe 1408 Moalhq32.exe 1408 Moalhq32.exe 2904 Maphdl32.exe 2904 Maphdl32.exe 1424 Mlelaeqk.exe 1424 Mlelaeqk.exe 1532 Mdqafgnf.exe 1532 Mdqafgnf.exe 2596 Mkjica32.exe 2596 Mkjica32.exe 2736 Madapkmp.exe 2736 Madapkmp.exe 2616 Mdejaf32.exe 2616 Mdejaf32.exe 2744 Njbcim32.exe 2744 Njbcim32.exe 2120 Nlblkhei.exe 2120 Nlblkhei.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgodbh32.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Ncjqhmkm.exe File created C:\Windows\SysWOW64\Fojebabb.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Pndniaop.exe File opened for modification C:\Windows\SysWOW64\Fljafg32.exe Fikejl32.exe File opened for modification C:\Windows\SysWOW64\Kgemplap.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Kphimanc.exe Kinaqg32.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Peiljl32.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dogefd32.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File opened for modification C:\Windows\SysWOW64\Kmefooki.exe Kjfjbdle.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File opened for modification C:\Windows\SysWOW64\Jbjochdi.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bppoqeja.exe File created C:\Windows\SysWOW64\Bbgdfdaf.dll Gpcmpijk.exe File created C:\Windows\SysWOW64\Lkiklhim.dll Madapkmp.exe File created C:\Windows\SysWOW64\Iknecn32.dll Oghlgdgk.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gpcmpijk.exe File created C:\Windows\SysWOW64\Kmefooki.exe Kjfjbdle.exe File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe Melfncqb.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Ibijie32.dll Figlolbf.exe File created C:\Windows\SysWOW64\Hkfagfop.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Coklgg32.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jnqphi32.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Kolpjf32.dll Pgbhabjp.exe File opened for modification C:\Windows\SysWOW64\Cpnojioo.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Gmdadnkh.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Eaepofcm.dll Mdejaf32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Oqkqkdne.exe File created C:\Windows\SysWOW64\Gallbqdi.dll Fljafg32.exe File created C:\Windows\SysWOW64\Opnelabi.dll Haiccald.exe File created C:\Windows\SysWOW64\Kfmhol32.exe Kappfeln.exe File created C:\Windows\SysWOW64\Efncicpm.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Lmcijcbe.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Iheddndj.exe File created C:\Windows\SysWOW64\Keednado.exe Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ekelld32.exe File created C:\Windows\SysWOW64\Amfidj32.dll Ednpej32.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Libicbma.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hckcmjep.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Khknah32.dll Ebjglbml.exe File created C:\Windows\SysWOW64\Idgjaf32.dll Gfjhgdck.exe File created C:\Windows\SysWOW64\Eemeeh32.dll Lplogdmj.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Ndpfkdmf.exe File created C:\Windows\SysWOW64\Mnhlblil.dll Oddpfc32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Ahgnke32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Ahikqd32.exe File created C:\Windows\SysWOW64\Qljkhe32.exe Pijbfj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlblkhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbcbk32.dll" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moalhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohfnnkm.dll" Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll" Ipgbjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Madapkmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallbqdi.dll" Fljafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacch32.dll" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2864 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 28 PID 1736 wrote to memory of 2864 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 28 PID 1736 wrote to memory of 2864 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 28 PID 1736 wrote to memory of 2864 1736 27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe 28 PID 2864 wrote to memory of 2600 2864 Ijoeji32.exe 29 PID 2864 wrote to memory of 2600 2864 Ijoeji32.exe 29 PID 2864 wrote to memory of 2600 2864 Ijoeji32.exe 29 PID 2864 wrote to memory of 2600 2864 Ijoeji32.exe 29 PID 2600 wrote to memory of 2608 2600 Iqljlb32.exe 30 PID 2600 wrote to memory of 2608 2600 Iqljlb32.exe 30 PID 2600 wrote to memory of 2608 2600 Iqljlb32.exe 30 PID 2600 wrote to memory of 2608 2600 Iqljlb32.exe 30 PID 2608 wrote to memory of 1936 2608 Jmbgpg32.exe 31 PID 2608 wrote to memory of 1936 2608 Jmbgpg32.exe 31 PID 2608 wrote to memory of 1936 2608 Jmbgpg32.exe 31 PID 2608 wrote to memory of 1936 2608 Jmbgpg32.exe 31 PID 1936 wrote to memory of 2724 1936 Kappfeln.exe 32 PID 1936 wrote to memory of 2724 1936 Kappfeln.exe 32 PID 1936 wrote to memory of 2724 1936 Kappfeln.exe 32 PID 1936 wrote to memory of 2724 1936 Kappfeln.exe 32 PID 2724 wrote to memory of 2532 2724 Kfmhol32.exe 33 PID 2724 wrote to memory of 2532 2724 Kfmhol32.exe 33 PID 2724 wrote to memory of 2532 2724 Kfmhol32.exe 33 PID 2724 wrote to memory of 2532 2724 Kfmhol32.exe 33 PID 2532 wrote to memory of 1700 2532 Kmgpkfab.exe 34 PID 2532 wrote to memory of 1700 2532 Kmgpkfab.exe 34 PID 2532 wrote to memory of 1700 2532 Kmgpkfab.exe 34 PID 2532 wrote to memory of 1700 2532 Kmgpkfab.exe 34 PID 1700 wrote to memory of 2688 1700 Kfoedl32.exe 35 PID 1700 wrote to memory of 2688 1700 Kfoedl32.exe 35 PID 1700 wrote to memory of 2688 1700 Kfoedl32.exe 35 PID 1700 wrote to memory of 2688 1700 Kfoedl32.exe 35 PID 2688 wrote to memory of 2676 2688 Kinaqg32.exe 36 PID 2688 wrote to memory of 2676 2688 Kinaqg32.exe 36 PID 2688 wrote to memory of 2676 2688 Kinaqg32.exe 36 PID 2688 wrote to memory of 2676 2688 Kinaqg32.exe 36 PID 2676 wrote to memory of 1644 2676 Kphimanc.exe 37 PID 2676 wrote to memory of 1644 2676 Kphimanc.exe 37 PID 2676 wrote to memory of 1644 2676 Kphimanc.exe 37 PID 2676 wrote to memory of 1644 2676 Kphimanc.exe 37 PID 1644 wrote to memory of 1508 1644 Kpjfba32.exe 38 PID 1644 wrote to memory of 1508 1644 Kpjfba32.exe 38 PID 1644 wrote to memory of 1508 1644 Kpjfba32.exe 38 PID 1644 wrote to memory of 1508 1644 Kpjfba32.exe 38 PID 1508 wrote to memory of 1360 1508 Khekgc32.exe 39 PID 1508 wrote to memory of 1360 1508 Khekgc32.exe 39 PID 1508 wrote to memory of 1360 1508 Khekgc32.exe 39 PID 1508 wrote to memory of 1360 1508 Khekgc32.exe 39 PID 1360 wrote to memory of 2208 1360 Kdlkld32.exe 40 PID 1360 wrote to memory of 2208 1360 Kdlkld32.exe 40 PID 1360 wrote to memory of 2208 1360 Kdlkld32.exe 40 PID 1360 wrote to memory of 2208 1360 Kdlkld32.exe 40 PID 2208 wrote to memory of 380 2208 Laplei32.exe 41 PID 2208 wrote to memory of 380 2208 Laplei32.exe 41 PID 2208 wrote to memory of 380 2208 Laplei32.exe 41 PID 2208 wrote to memory of 380 2208 Laplei32.exe 41 PID 380 wrote to memory of 1404 380 Ldqegd32.exe 42 PID 380 wrote to memory of 1404 380 Ldqegd32.exe 42 PID 380 wrote to memory of 1404 380 Ldqegd32.exe 42 PID 380 wrote to memory of 1404 380 Ldqegd32.exe 42 PID 1404 wrote to memory of 1652 1404 Limmokib.exe 43 PID 1404 wrote to memory of 1652 1404 Limmokib.exe 43 PID 1404 wrote to memory of 1652 1404 Limmokib.exe 43 PID 1404 wrote to memory of 1652 1404 Limmokib.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe"C:\Users\Admin\AppData\Local\Temp\27400aae051a5aa6b70517e89ff5ec8610d63eddafb1b67eeb411ab8c740f332.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe27⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe28⤵
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe35⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe36⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe39⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe40⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe41⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe44⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe45⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe47⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe48⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe49⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe50⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe51⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe52⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe53⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe55⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe56⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe58⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe63⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe65⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe66⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe68⤵PID:3804
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe69⤵PID:3860
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe70⤵PID:3924
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe72⤵PID:4048
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe73⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe74⤵PID:3000
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe75⤵PID:2036
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe76⤵PID:1412
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe78⤵PID:2216
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe79⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe81⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe82⤵PID:3264
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe83⤵
- Drops file in System32 directory
PID:3332 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe84⤵PID:3388
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe86⤵PID:3584
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe87⤵PID:1996
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe88⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe90⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe91⤵PID:3840
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe92⤵PID:3912
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe93⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe94⤵PID:4024
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe95⤵PID:2592
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe96⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe97⤵PID:1604
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe98⤵PID:3024
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe100⤵PID:316
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe102⤵PID:828
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe103⤵PID:3280
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe104⤵
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe105⤵PID:3376
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe106⤵
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe107⤵PID:3424
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe108⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe109⤵
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3720 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe111⤵PID:1240
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe112⤵
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe113⤵PID:3820
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe114⤵PID:2660
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe115⤵PID:3900
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe116⤵PID:4088
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe117⤵PID:1452
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe118⤵PID:2752
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe119⤵PID:2224
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-